Integrate SAML applications
Identity as a Service can act as an Identity Provider (IDP) in order to perform SAML-based single sign-on (SSO) to 3rd-party applications. Identity as a Service includes a number of cloud applications for you to integrate with Identity as a Service for two-factor authentication. If you want to protect a cloud service that is not pre-configured with Identity as a Service, you can add it as a generic SAML service provider application.
You must have an Identity as a Service administrator a role with View-level User Attribute Management privileges to add SAML applications to Identity as a Service. See Create, assign, and manage roles for more information on Identity as a Service roles.
Passkey login is available for SAML applications. For more information, see Manage Passkey/FIDO2 authenticators.
See the Technical Integration Guides for instructions to integrate available SAML applications.
Configure SAML assertion to include user authenticators or groups
When you add a SAML application to Identity as a Service, you can include an Identity as a Service user's authenticators (those used during an authentication session) and groups as part of the SAML assertion to an application. For example, if a user has authenticated with OTP and a Grid Card and belongs to Group1, Group2, and Group3, then the SAML Assertion can be configured to include those attributes as shown in the following example:
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/claims/Group">
<AttributeValue>Group1</AttributeValue>
<AttributeValue>Group2</AttributeValue>
<AttributeValue>Group3</AttributeValue>
</Attribute>
<Attribute Name="Authenticators">
<AttributeValue>NONE:OTP</AttributeValue>
<AttributeValue>NONE:GRID</AttributeValue>
</Attribute>
</AttributeStatement>
Identity as a Service supports customizing these SAML application assertions to include User Related Attributes wherever an attribute is defined. These attributes are not tied directly with the user's record but are associated with the user through other entities or session information.
Supported XML requests attributes and elements
In addition to the standard SAML xml request attributes and elements, SAML supports the following one:
- NameID
SAML also supports a configured request parameter, which may specify a login hint instead of using NameID.
SAML does not support the following SAML xml request attributes/elements:
- AllowCreate
- ForceAuthn
- IsPassive
- RequestedAuthnContext
SAML does not support the following feature:
- Authentication request signature verification
Topics in this section
Integrate a generic SAML application
Identity as a Service includes a number of cloud applications for you to integrate with Identity as a Service for two-factor authentication. If the you want to protect a cloud service that is not preconfigured with Identity as a Service, you can integrate it as a generic SAML service provider application.
Create SAML signing certificates
SAML signing certificates contain a key pair that you associate with a SAML application. The private key signs the SAML responses that Identity as a Service returns to a SAML service provider for SAML authentication. You can export the signing certificate and import it into the SAML service provider to validate the signature that the SAML assertion returns.
Download SAML metadata
If your SAML service provider supports updating SAML configuration using metadata, you can download the metadata from Identity as a Service. The download contains the signing certificate and other information you need to configure your service provider for Identity as a Service authentication.