SAML Overview

Security Assertion Markup Language (SAML) 2.0 is a single sign-on and federation protocol suite that enables your organization to synchronize identity with web applications. Once you have configured single sign-on for your organization, your users can sign in to Flexera One using your identity provider instead of a username and password. When a user logs in with single sign-on, an audit entry in your master account captures the details.

Some key SAML 2.0 Concepts are presented in the following table.

SAML 2.0 Key Concepts

SAML 2.0 Concept

Definition

Trust Relationship

Before an identity provider and a service provider can exchange SAML messages, an administrator must configure each of them to trust the other.

Web Browser Single Sign-on

SAML 2.0's Web Browser SSO Profile is its principal sign in mechanism. For a detailed protocol description, see Wikipedia.

There are two variants of the Web Browser single sign-on flow:

Service provider-initiated sign in—The user visits the service provider first.
Identity provider-initiated sign in—The user visits the identity provider first.

SP-Initiated Sign In

If a user arrives at Flexera One without being logged in, we must forward the user’s browser to a suitable identity provider to obtain a SAML assertion. To determine where to send the user, we prompt the user for a discovery hint, a DNS-like name chosen at setup time to uniquely identify your identity provider in our database.

Best Practice:We recommend using unique values as a discovery hint for your identity provider.

Identity provider-Initiated Sign In

You can sign in to the identity provider and visit an application portal that provides a menu of SSO-accessible applications, including Flexera One. When you click the Flexera One menu item, the browser is directed to Flexera One with a SAML assertion.

Relay State

The relay state is a SAML parameter that conveys where users will be directed after they perform single sign-on. When performing identity provider-initiated sign in, the identity provider can add a default relay state to send the user to a specific place.