SAML single sign-on

You can enable single sign-on (SSO) capability so that users can access their organization without the need to enter login information. You can use SSO for user authentication or for both authentication and authorization in an organization. You configure SSO capability for an organization on the SAML Setup page.

Single sign-on to Informatica Intelligent Cloud Services is based on the Security Assertion Markup Language (SAML) 2.0 web browser single sign-on profile. The SAML web browser single sign-on profile consists of the following entities:

Identity provider

An entity that manages authentication information and provides authentication services through the use of security tokens.

Service provider

An entity that provides web services to principals, for example, an entity that hosts web applications. Informatica Intelligent Cloud Services is a service provider.

Principal

An end user who interacts through an HTTP user agent.

SAML 2.0 is an XML-based protocol that uses security tokens that contain assertions to pass information about a principal between an identity provider and a service provider. An assertion is a package of information that supplies statements made by a SAML authority. You can find more information about SAML on the Oasis web site: https://www.oasis-open.org

The process that occurs when a user enters the Informatica Intelligent Cloud Services URL in a browser or launches Informatica Intelligent Cloud Services through a chicklet differs based on whether the organization uses SAML SSO for authentication only or for both authentication and authorization.

SAML single sign-on for authentication only

When a user signs on to Informatica Intelligent Cloud Services and the organization uses SAML SSO for user authentication only, the following process occurs:

1Informatica Intelligent Cloud Services sends a SAML authentication request to the organization's identity provider.

2The identity provider confirms the user's identity and sends a SAML authentication response to Informatica Intelligent Cloud Services. The authentication response includes a SAML token.

3When Informatica Intelligent Cloud Services receives the SAML authentication response from the identity provider, it completes the following tasks:

- If the user exists, Informatica Intelligent Cloud Services establishes the user session and logs the user in.
- If the user does not exist and auto-provisioning of users is enabled, Informatica Intelligent Cloud Services gets the user attributes from the SAML token, creates the user, and assigns the user the default role and the default group, if it is configured. Informatica Intelligent Cloud Services establishes the user session and logs the user in.
- If the user does not exist and auto-provisioning of users is disabled, Informatica Intelligent Cloud Services fails the login.

4When a user logs out of Informatica Intelligent Cloud Services or the session times out, Informatica Intelligent Cloud Services sends a SAML logout request to the identity provider.

5The identity provider terminates the user session on the identity provider side.

SAML single sign-on for authentication and authorization

When a user signs on to Informatica Intelligent Cloud Services and the organization uses SAML SSO for authentication and authorization, the following process occurs:

1Informatica Intelligent Cloud Services sends a SAML authentication request to the organization's identity provider.

2The identity provider confirms the user's identity and sends a SAML authentication response to Informatica Intelligent Cloud Services. The authentication response includes a SAML token.

3When Informatica Intelligent Cloud Services receives the SAML authentication response from the identity provider, it completes the following tasks:

- If the user exists, Informatica Intelligent Cloud Services gets the user roles, groups, and attributes from the SAML token. It finds the corresponding Informatica Intelligent Cloud Services user roles and groups, and updates the user roles, if necessary. Informatica Intelligent Cloud Services establishes the user session and logs the user in.
- If the user does not exist and auto-provisioning of users is enabled, Informatica Intelligent Cloud Services gets the user roles, groups, and attributes from the SAML token and creates the user. Informatica Intelligent Cloud Services establishes the user session and logs the user in. If the token contains no SAML role or group information, Informatica Intelligent Cloud Services fails the login.
- If the user does not exist and auto-provisioning of users is disabled, Informatica Intelligent Cloud Services fails the login.

4When a user logs out of Informatica Intelligent Cloud Services or the session times out, Informatica Intelligent Cloud Services sends a SAML logout request to the identity provider.

5The identity provider terminates the user session on the identity provider side.