Skip to content

Overview

A SAML identity provider is a system entity that issues authentication assertions in conjunction with a single sign-on (SSO) profile of the Security Assertion Markup Language (SAML). 

In the SAML domain model, a SAML authority is any system entity that issues SAML assertions.  Two important examples of SAML authorities are the authentication authority and the attribute authority. 

A SAML authentication authority is a system entity that produces SAML authentication assertions. Likewise, a SAML attribute authority is a system entity that produces SAML attribute assertions. 

Accops SAML authentication authority that participates in one or more SSO Profiles of SAML is called an Accops SAML identity provider (or simply identity provider if the domain is understood). Accops SAML authentication authority that participates in SAML Web Browser SSO is an identity provider that performs the following tasks: 

  1. Receives a SAML authentication request from a relying party via a web
  2. Authenticates the browser user-principal 
  3. Responds to the relying party with a SAML authentication assertion for the principal 

In the previous example, the relying party that receives and accepts the authentication assertion is a SAML service provider. 

A given SAML identity provider is described by an element defined by the SAML metadata schema. Likewise, a SAML service provider is described by an metadata element.  

In addition to an authentication assertion, a SAML identity provider may also include an attribute assertion in the response. In that case, the identity provider functions as both an authentication authority and an attribute authority. 

Terminology

Service Provider (SP) - is the End Application that will provide service to the End User. 

IDP - When Accops is configured as SAML IDP, Accops confirms the identity for any SAML-based application and sends a response to the SP (Service Provider). 

Authentication Server - When Accops acts as a SAML IDP, for user authentication, Accops IDP needs to connect to Active Directory or Accops Native User Directory.

Accops SAML as an IDP Architecture diagram

In the above diagram, Palo Alto Global Protect is a Service Provider, and it is authenticating via Accops HyID SAML Identity Provider.

Users can follow any one of the below-given steps to log in:

  1. SP Initiated Login Flow – In SP-initiated flow, when a user tries to log in via the SP login page, it is redirected to the IDP page, i.e., Palo Alto Global Protect and Accops HyID act as SAML IDP. Once the user is redirected to the Accops IDP Login page, the user will be prompted for a Username and Password. After successful authentication, Accops can also ask for additional MFA if the HyID MFA policy is configured for the users. 

  2. IDP Initiated Flow -  In the IDP initiated flow, when a user tries to log in via the IDP login page and is authenticated, all the applications assigned to the users are shown. Once the user clicks on any specific application, the IDP page redirects. In our case, Palo Alto Global Protect is SP, and Accops acts as SAML IDP. Once the user is redirected to the Accops IDP login page, the user will be prompted for a Username and Password; after successful authentication, Accops can also ask for additional MFA  if the HyID MFA policy is configured for the User. 

     

For more details on SAML configuration, click here.