Integrate SAML applications

Identity as a Service can act as an Identity Provider (IDP) in order to perform SAML-based single sign-on (SSO) to 3rd-party applications. Identity as a Service includes a number of cloud applications for you to integrate with Identity as a Service for two-factor authentication. If you want to protect a cloud service that is not pre-configured with Identity as a Service, you can add it as a generic SAML service provider application.

You must have an Identity as a Service administrator a role with View-level User Attribute Management privileges to add SAML applications to Identity as a Service. See Create, assign, and manage roles for more information on Identity as a Service roles.

Passkey login is available for SAML applications. For more information, see Manage Passkey/FIDO2 authenticators.

Note: See the Technical Integration Guides for instructions to integrate available SAML applications.

Configure SAML assertion to include user authenticators or groups

When you add a SAML application to Identity as a Service, you can include an Identity as a Service user's authenticators (those used during an authentication session) and groups as part of the SAML assertion to an application. For example, if a user has authenticated with OTP and a Grid Card and belongs to Group1, Group2, and Group3, then the SAML Assertion can be configured to include those attributes as shown in the following example:

<AttributeStatement>

  . . .

 <Attribute Name="http://schemas.xmlsoap.org/claims/Group">

   <AttributeValue>Group1</AttributeValue>

   <AttributeValue>Group2</AttributeValue>

   <AttributeValue>Group3</AttributeValue>

 </Attribute>

 <Attribute Name="Authenticators">

   <AttributeValue>NONE:OTP</AttributeValue>

   <AttributeValue>NONE:GRID</AttributeValue>

 </Attribute></AttributeStatement>

Identity as a Service supports customizing these SAML application assertions to include User Related Attributes wherever an attribute is defined. These attributes are not tied directly with the user's record but are associated with the user through other entities or session information.

Supported XML requests attributes and elements

In addition to the standard SAML xml request attributes and elements, SAML supports the following one:

●       NameID

SAML also supports a configured request parameter, which may specify a login hint instead of using NameID.

SAML does not support the following SAML xml request attributes/elements:

●       AllowCreate

●       ForceAuthn

●       IsPassive

●       RequestedAuthnContext

SAML does not support the following feature:

●       Authentication request signature verification

Topics in this section:

●       Integrate a generic SAML applications

●       Create and manage SAML signing certificates

●       Download or copy SAML metadata