Using SAML for single sign-on
Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication data between a service provider (such as Polaris) and an identity provider.
SAML allows users to employ web browser single sign-on (SSO) when logging in to applications. Using SSO has several advantages, including the following:
- End users don’t need to remember a unique Polaris password, and don’t need to enter credentials when accessing Polaris
- Managing passwords is faster and easier
For information on setting up SSO based on an OpenID Connect provider, refer to Setting up single sign-on.
For information on assigning SAML authentication settings to users, refer to Setting up users for single sign-on.
How does SAML authentication work?
To use SAML, an organization enrolls with an identity provider and then enables SAML within the service they wish to use. Once SAML is enabled, the following exchanges occur when the user tries to access the service:
Is SAML authentication secure?
If you use SAML, all user authentication is carried out through your identity provider. When the user accesses the identity provider’s website, they’re either prompted to enter their NT/AD credentials, or their browser forwards credentials they used to access their network. The user’s log-in credentials are then authenticated by the identity provider.
The identity provider then forwards the user name to the service provider (e.g. Polaris), along with the assertion token that proves their credentials are valid. Only the user name is forwarded; Polaris never has access to the user’s login credentials.
How do I use SAML authentication with Polaris?
To use SAML authentication with Polaris, you must first be enrolled with an identity provider who will supply you with the following:
- a SAML key - establishes that Polaris can trust the identity provider when it verifies the user
- a transfer URL - redirects the user to the identity provider’s site when they attempt to access Polaris
Polaris supports use with SAML 1.1 and 2.0. Which version of SAML you use depends on the identity provider you employ. If you plan to use SAML 1.1, Replicon hosts an identity provider you can use.
For details on enabling SAML in Polaris, contact Replicon Support, or refer to the following topics:
What secure hashtag algorithm (SHA) signatures does Polaris support for use with SAML?
Polaris supports both SHA-1 and SHA-256. If you're currently using SHA-1 and want to migrate to SHA-256, contact Replicon Support.