1.2 Understanding Federated Single Sign-On with SAML 2.0

Federated single sign-on relies on a trust relationship between an identity provider and a service provider to give users access to web services or applications. Access Manager Appliance uses SAML 2.0 (Security Assertion Markup Language) to create federated connections to web services and applications. The web services and applications are services providers and Access Manager Appliance is the identity provider.

SAML 2.0 is an open standard for federation that provides a vendor-neutral means of exchanging user identity, authentication, attribute information, and authorization information. SAML 2.0 defines the structure and content of assertions and protocol messages used to transfer this information between Access Manager Appliance and the web services or applications (service providers). For more information about SAML 2.0, see Section 1.3, Understanding SAML 2.0.

Using a SAML 2.0 connection, the service provider (web services and applications) trusts the identity provider (Access Manager Appliance) to validate the user’s authentication credentials and to send identity information about the authenticated user. The service provider accepts the data and uses it to give the user access to the web service or application. This data exchange is transparent for the user. It allows the user to access the web service or application without providing additional credentials.

For example, Figure 1-2 shows you how a SAML single sign-on authentication works with Access Manager Appliance.

Figure 1-2 Access Manager Appliance Single Sign-On with SAML 2.0

  1. The user Steve Smith authenticates to the corporate identity server (Access Manager Appliance) with his corporate user name and password.

  2. Access Manager Appliance authenticates Steve against the user name steve s. and associated password in the user store.

  3. Access Manager Appliance presents the User Portal page to Steve with an appmark to the 401k application that he is entitled to use.

  4. When Steve clicks the 401k appmark on the User Portal page, Access Manager Appliance produces an authentication assertion or token for the 401k application (service provider) that contains the identity attributes needed for authentication.

  5. The 401k application (service provider) consumes the assertion or token to establish a security context for the user with Access Manager Appliance (identity provider).

  6. The 401k application uses the assertion or token to validate that steve s. is ssmith_01 and authorizes the authentication (resource request).

  7. The 401k application (service provider) establishes a session with Steve.

    Through this process, Steve entered his user name and password once for the corporate identity server.

In the past, Access Manager Appliance allowed you to configure federated authentication using SAML 2.0 to internal and external identity providers, service providers, and embedded service providers (ESPs). Access Manager Appliance now provides a simpler means of creating the SAML 2.0 federation for single sign-on by providing connectors for specific applications. When you use the connectors, Access Manager Appliance automatically creates an appmark for the web service or application and places the appmark on the User Portal page for users to access. You can limit access to the SAML 2.0 web service or application by using role assignments configure on the Applications page. You can limit visibility of the SAML 2.0 appmarks on the User Portal page by using role assignments configured on the appmarks.

Access Manager Appliance allows you to convert the existing SAML 2.0 service providers to applications that you can manage from the Applications page. The main benefit of migration is to add the ability to configure access control to the application using roles.For more information, see Section 4.3, Converting SAML 2.0 Service Providers in the Applications Page.

Access Manager Appliance provides a set of connector for SAML 2.0 applications that you can import through the Applications Connector Catalog or you can import from a file you save from the Applications Connector Catalog. You must import and configure the connector for the appropriate applications in your environment. Use the appropriate connector-specific chapters to configure the SAML 2.0 connector. For more information, see: