SAML is a method used to exchange information between a service provider and an identity provider. A service provider is the provider of a third-party service that users connect to, such as Salesforce or Microsoft. An identity provider, such as AuthPoint, authenticates users when they log in to a service or application.
In AuthPoint, SAML resources connect AuthPoint with a service provider. Add SAML resources and define access policies for the resources to require that users authenticate before they can connect to those services and applications.
When you add SAML resources, we recommend that you also add an IdP portal resource. The IdP portal is a portal page that shows users a list of SAML resources available to them. For more information, see Configure the IdP Portal.
See the AuthPoint Integration Guides for steps to configure AuthPoint MFA for specific applications and services.
SAML Authentication Data Flow
This diagram shows the data flow of an MFA transaction for a SAML resource with the push authentication method.
When the user tries to log in to an application that requires authentication, the AuthPoint authentication page appears. To log in, the user types their AuthPoint password (if required) and chooses an authentication method. In this example, the user chooses to authenticate with a push notification. AuthPoint sends a push notification to the user's mobile device that the user approves to authenticate and log in.
Before you add a SAML resource, you must configure SAML authentication for your third-party service provider. To do this, you must get the AuthPoint metadata from the Certificate Management page in the AuthPoint management UI.
The AuthPoint metadata provides your resource with information that is necessary to identify AuthPoint and establish a trusted relationship between the third-party service provider and the identity provider (AuthPoint).
Some service providers require the metadata file to configure authentication, while others only require the metadata URL. Which one you need depends on the third-party service provider.
- Select Resources.
- Click Certificate.
- On the Certificate Management page, next to AuthPoint certificate you will associate with your resource, click and select an option to download the metadata, copy the metadata URL, download the certificate, or copy the fingerprint based on what the service provider for your resources requires.
The AuthPoint metadata provides your resource with information necessary to identify AuthPoint as a trusted identity provider. This is necessary for SAML authentication.
- Import the AuthPoint metadata file to the service provider and get the Service Provider Entity ID and Assertion Consumer Service from the service provider. These values are necessary to configure the SAML resource in AuthPoint. Refer to the AuthPoint Integration Guides for the steps to configure specific SAML resources.
Add a SAML Resource in AuthPoint
To add a SAML resource, in the AuthPoint management UI:
- Select Resources.
- From the Choose a resource type drop-down list, select SAML. Click Add.
- In the Name text box, type a name for the resource.
- From the Application Type drop-down list, select the relevant application or select Others if the application is not listed.
You can click the Integration Guide link to open a help topic with the steps to set up your application. This link is context sensitive.
- In the Service Provider Entity ID and Assertion Consumer Service text boxes, type the values from the service provider of the application.
- From the User ID drop-down list, select which user ID attribute to send to the service provider. The service provider compares the user ID attribute for the AuthPoint user with the user name in your application. These values must match.
For example, Salesforce requires a user name in an email format that includes a domain. Because the AuthPoint user name does not include a domain, your user ID must be email to match the Salesforce user name.
- (Optional) Click Choose File to upload a certificate from the service provider. When you upload a certificate, you can select the Encryption enabled toggle to enable or disable encryption for the SAML communication.
- From the AuthPoint Certificate drop-down list, select the AuthPoint certificate to associate with your resource. This must be the same certificate that you downloaded the metadata for in the Configure Authentication for a Third-Party Application section.
- If applicable, complete any additional fields required for the application.
- Click Save.
- Assign an access policy for the SAML resource to a group. See Access Policies for more information.
Now you have successfully added a SAML resource, you must assign an access policy for the SAML resource to an AuthPoint user group. Access policies are assigned to user groups in order to specify which resources require authentication and which authentication method to use for the users that are in that group. For more detailed information, see Access Policies.