Single Signon Setup
Overview
CircleIn implements the SAML protocol, specifically the Service Provider component. As a Service Provider (SP), CircleIn consumes assertions from pre-approved Identity Providers (IdP) like ADFS, Google SAML, Okta, Ping Federated, Auth0, etc.
Definitions
- SAML
- Security Assertion Markup Language
- EntityID
- EntityID is the unique identifier for components of a SAML implementation. A Service Provider (SP) has an EntityID. An Identity Provider also has an EntityID.
- Metadata
- Metadata
- x509 Certificate
- x509 Certificate
- Single Signon (SSO)
- Single Signon (SSO)
- Single Logout (SLO)
- Logging out of one system triggers a process by which a user is logged out of all compatible systems.
- Assertion
- An assertion is an XML document that carries information about an authenticated user. This XML document is signed and transmitted via the Browser from an IdP to an SP.
- Service Provider (SP)
- Service Provider (SP)
- Identity Provider (IdP)
- Identity Provider (IdP)
Typical SAML Flow
https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
An important thing to understand about SAML is that the Service Provider and Identity Provider do not talk directly with each other. All communications happen through XML payloads transmitted through the browser, via 301 redirects and POST submissions.
This property has important security implications. An IdP can be, as often is, on a completely separate network not reachable by the the SP. The user’s browser, however, may be connected to the IdP’s network via VPN or something along those lines. This allows the users browser to cross those security thresholds.
Attributes Requested by CircleIn Service Provider
CircleIn does not require a specific attribute to be sent. Rather, you configure your Identity Provider to release the an attribute that corresponds to the unique ID for your users.