SAML SSO options

Web applications that support SAML can use the Privileged Access Service to securely authenticate users. The Service Provider (SP) is the web application that users request to log in to via the Privileged Access Service (also called the Identity Provider, IdP).

A signing certificate (X.509), establishes a trust relationship between the SP and the IdP. The IdP uses the X.509 certificate to sign the XML and the SP checks the signature that it receives with a certificate it has on file. With that trust relationship in place, the SP consumes the assertion passed to it from the IdP and allows users to authenticate without requiring additional credentials.

Web applications that support SAML authentication offer the following authentication methods:

  • IdP-initiated only

    IdP sends SAML Response to the SP.

  • SP-initiated only

    The SP sends the SAML Request to the IdP; IdP sends SAML Response to the SP.

  • IdP-initiated and SP-initiated

Note:   The response is sent to the Assertion Consumer Service (ACS) URL configured during application setup.

In most cases, if you use IdP-initiated SSO, your users can still access the application directly using their user name and password. If you use SP-initiated SSO, your users are redirected to log in directly to the web application. Some applications prevent user name and password logins.

The following diagram illustrates the main differences between IdP-initiated and SP-initiated SSO.

IdP-initiated SSO

SP-initiated SSO

  1. User logs on to the Admin Portal (IdP); IdP authenticates the user.
  2. IdP generates a security token and redirects the user to the web application (SP site).
  3. SP grants access to the user.
  4. User is logged on to the web application.
  1. User accesses the web application (SP site).
  2. SP redirects the user to the IdP.
  3. IdP authenticates the user, generates a security token and redirects back to the web application (SP site).
  4. SP grants access to the user.
  5. User is logged on to the web application.