SAML - Cloud Single Sign On

Xecurify acts as an identity provider and lets an enduser login to access services provided by service provider


Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains to exchange user authentication and authorization data. Using SAML, an online service provider can contact a separate online identity provider to authenticate users who are trying to access secure content.

The SAML specification defines three roles:

  • The principal (typically a user)

  • The Identity Provider (IdP)

  • The service Provider (SP)

In the use case addressed by SAML, the principal requests a service from the service provider. The service provider requests and obtains an identity assertion from the identity provider. On the basis of this assertion, the service provider can make an access control decision - in other words it can decide whether to perform some service for the connected principal.

Let us take an example to show you how to configure Xecurify Self-Service Console as a service provider by accepting a SAML assertion generated by the Xecurify IDP.

  • Register a Service Provider on the Identity Server:

    • Add Issuer as Xecurify

    • Assertion Consumer URL

    • Make sure Enable Attribute Profile is checked

    • Add email address in Attribute Claims

    • Make sure Include Attributes in the Response Always is checked

  • User selects SAML SSO from End User Sign In window to login using Xecurify Identity Server.

  • Xecurify Authentication Service sends an authentication SAML request along with Attribute Query to Xecurify Identity Server along with the Consumer Index generated after registering Xecurify as a Service Provider on the Identity Server.

  • Xecurify IdP parses the SAML request and redirects to Identity Server Login page.

  • User enters the username & password. If valid credentials are entered, IdP sends an encoded SAML Response to the Xecurify Authentication Service with the email address of the user.

  • Xecurify Authentication Service receives SAML response, decodes it, parses the email ID of the user. If a valid email address is found, it logs in the user into self-service console.