Single Sign On with SAML Authentication
SAML 2.0 is the last version of the Security Assertion Markup Language specified by the OASIS organization.
This standard was defined for exchanging authentication and authorization data between security domains.
SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, that is, an identity provider (IdP), and a SAML consumer, that is, a service provider (SP).
SAML 2.0 enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user.
It allow a strengthened corporate security, and a simpler user provisioning.
The main benefits of using a SAML Identity Provider are multiple:
- Your users will never input their credentials outside of your IdP web-based authentication system and we will never store their passwords.
- Your user base is centralized and shared between all your internal and external services. You can now provision new users and restrict authorizations at a global level.
SAML authentication workflow
- The user goes to your App Store domain or subdomain and clicks the LOGIN button.
- The user is redirected to you Identity Provider (IdP) login website
- The user uses the IdP web-based authentication system to log in and the IdP sends a SAML Response to the Applivery callback endpoint
- If the user is logged in and has the appropriate permissions in Applivery, he/she is allowed to access the App Store where will see only the authorized Apps.
Step 1 - Get the Service Provider information from Applivery
Go to your Organization Settings and scroll down until Login providers section. New click the Add login provider green button and select SAML.
You will see now your SAML configuration, including a pre-configured SAML metadata XML file that you will be able to import into your Identity Provider (such as Azure AD).
In case your IP does not allow you to upload a SAML metadata file, you can use the other fields provided under the Step 1 to manually connect to Applivery as a Service Provider:
- Identifier (Entity ID)
- Reply URL (Assertion Customer Service URL)
- Callback URL
Step 2 - Configure your Identity Provider (i.e. Azure AD)
Now that you have your Service Provider information, it’s time to configure it in your IdP. For this example we will use Azure Active Directory platform that allows you to configure any Service Provider supporting SAML 2.0.
Step 2.1 - Login into Azure Portal and create an App
Login into your Azure Portal and go to Azure Active Directory > Enterprise applications. Then click + New application blue button at the top of the page and then choose Non-gallery application. Lastly, give a name to the App (i.e.: Applivery).
Step 2.2 - Configure SSO
Now go to Single Sign-on from the left side menu and choose SAML option from the Single sign-on methods list.
You will be redirected to a new dashboard with 4 Steps. At the very top of the page, click the Upload metadata file button and browse your disk to choose the Applivery SAML metadata XML file you downloaded in the Step 1. It will fill the form automatically with the information contained into the XML file. Optionally you can fill it out manually suing the information provided into the Step 1.
Step 2.3 - Download Federation Metadata XML file from Azure
Last, go to the Step 3 out of the 4 steps in Azure and click the Download Federation Metadata XML link and save the file.
Go back to Applivery Dashboard > SAML Provider screen (same as in Step 1 of this tutorial) and upload the Federation Metadata XML file under the Step 2. Then click Save changes.
Step 3 - Test it out
And that’s it! Now that you have both ends (Azure & Applivery) connected, you can Add some authorized users to Azure (going to Users and groups under the SSO Application) and then navigate to your App Store URL and try to login with an authorized user.