HelpAdministrators

Using SAML for single sign-on

Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication data between a service provider (such as Replicon) and an identity provider.

SAML allows users to employ web browser single sign-on (SSO) when logging in to applications. Using SSO has several advantages, including the following:

  • End users don’t need to remember a unique Replicon password, and don’t need to enter credentials when accessing Replicon
  • Managing passwords is faster and easier

For information on setting up SSO based on an OpenID Connect provider, refer to Setting up single sign-on.

For information on assigning SAML authentication settings to users, refer to Setting up users for single sign-on.

How does SAML authentication work?

To use SAML, an organization enrolls with an identity provider and then enables SAML within the service they wish to use. Once SAML is enabled, the following exchanges occur when the user tries to access the service:

Is SAML authentication secure?

If you use SAML, all user authentication is carried out through your identity provider. When the user accesses the identity provider’s website, they’re either prompted to enter their NT/AD credentials, or their browser forwards credentials they used to access their network. The user’s log-in credentials are then authenticated by the identity provider.

The identity provider then forwards the user name to the service provider (e.g. Replicon), along with the assertion token that proves their credentials are valid. Only the user name is forwarded; Replicon never has access to the user’s login credentials.

How do I use SAML authentication with Replicon?

To use SAML authentication with Replicon, you must first be enrolled with an identity provider who will supply you with the following:

  • a SAML key - establishes that Replicon can trust the identity provider when it verifies the user
  • a transfer URL - redirects the user to the identity provider’s site when they attempt to access Replicon

Replicon supports use with SAML 1.1 and 2.0. Which version of SAML you use depends on the identity provider you employ. If you plan to use SAML 1.1, Replicon hosts an identity provider you can use.

For details on enabling SAML in Replicon, contact Replicon Support, or refer to the following topics:

FAQs

What secure hashtag algorithm (SHA) signatures does Replicon support for use with SAML?

Replicon supports both SHA-1 and SHA-256. If you're currently using SHA-1 and want to migrate to SHA-256, contact Replicon Support.