SAML Overview

Security Assertion Markup Language (SAML) 2.0 is a single sign-on and federation protocol suite that enables your organization to synchronize identity with web applications. Once you have configured single sign-on for your organization, your users can log in to Flexera One using your identity provider instead of a username and password. When a user logs in with single sign-on, an audit entry in your master account captures the details.

Some key SAML 2.0 Concepts are presented in the following table.

SAML 2.0 Key Concepts

SAML 2.0 Concept

Definition

Trust Relationship

Before an identity provider and a service provider can exchange SAML messages, an administrator must configure each of them to trust the other.

Web Browser Single Sign-on

SAML 2.0's Web Browser SSO Profile is its principal login mechanism. For a detailed protocol description, refer to Wikipedia.

There are two variants of the Web Browser single sign-on flow:

Service provider-initiated login—The user visits the service provider first.
Identity provider-initiated login—The user visits the identity provider first.

SP-Initiated Login

If a user arrives at Flexera One without being logged in, we must forward the user’s browser to a suitable identity provider to obtain a SAML assertion. To determine where to send the user, we prompt the user for a discovery hint, a DNS-like name chosen at setup time to uniquely identify your identity provider in our database.

Best Practice:We recommend using unique values as a discovery hint for your identity provider.

Identity provider-Initiated Login

A more common way for an end-user to perform single sign-on is to log in to the identity provider and visit an application portal that provides a menu of SSO-accessible applications, including Flexera One. When the user clicks the Flexera One menu item, the browser is directed to Flexera One with a SAML assertion.

Relay State

The relay state is a SAML parameter that conveys where users will be directed after they perform single sign-on. When performing identity provider-initiated login, the identity provider can add a default relay state to send the user to a specific place.