SAML Identity Provider

SAML enables external applications and services to verify a user's identity. It allows for Single Sign-On (SSO) technology, which means a user only needs to authenticate once to access multiple applications. For example, when a user logs in to gmail.com, they can access YouTube, Google Drive, and other Google services without signing in again for each service.

SAML Authentication workflow typically involves three parties:

  1. User: The user who is trying to access the application.
  2. Service Provider (SP): The application or service the user intends to use, such as cloud email platforms like Gmail and Microsoft Office 365. Typically, a user would directly log in to these services. However, when Single Sign-On (SSO) is utilized, the user logs into the SSO instead. The Security Assertion Markup Language (SAML) is used to provide them access rather than logging in directly. In simpler terms, the Service Provider (SP) receives the authentication from the Identity Provider and grants authorization to the user.
  3. Identity Provider (IdP): A service that stores and confirms user identity through a login process. In other words, The IdP authenticates a user and sends their credentials and access rights for the service to the SP.

HySecure supports multiple Identity providers for a single service provider.

  1. Login into the HySecure Management console.

  2. Navigate to Settings > Services Config > SAML Identity Providers.

  3. Click Add.

  4. Under General Configuration, provide the following information:

    1. Identity Provider Name: Name of the IdP service provider.
    2. Domain Name: The name mapped with the IdP.

  5. Under Service Endpoints, provide the following information:

    1. Entity ID: The IdP’s unique identification. It is shared and configured as an IdP Entity ID in the SAML Service Provider (SP).
    2. Single Sign-on for Service Endpoint: SAML IdP Endpoint address where SAML SP would redirect users for authentication.
    3. Single Logout Service Endpoint: SAML IdP Endpoint address at which SAML SP informs IdP about user logout event.
    4. NameID Format: Username/email address or phone number used to identify a user.

  6. Under Certificate Details, provide the following information:

    1. Certificate Signing options: Choose the appropriate option to sign the SAML response.
    2. CA Certificate for Signing: Upload the CA Certificate here. The IdP generates a private key and a public key. It signs the assertion with the private key. The public key is shared with the SP, which verifies the SAML response and logs the user in. The SP must obtain the public certificate from the IdP to validate the signature. The certificate is stored on the SP side and used whenever a SAML response arrives. HySecure allows different certificates for every SAML Identity provider configured in the HySecure gateway to enhance security. By default, HySecure gateway’s SSL certificate is used automatically.
    3. Private Key for Signing: Upload the Private Key used to sign the SAML response.

  7. Under Organizational Info, provide information about your organization, such as Its Name, URL, and contact information.

  8. Click Submit.