You can enable single sign-on (SSO) capability so that users can access their organization without the need to enter login information. You can use SSO for user authentication or for both authentication and authorization in an organization. You configure SSO capability for an organization on the SAML Setup page.
Single sign-on to IDMC is based on the Security Assertion Markup Language (SAML) 2.0 web browser single sign-on profile. The SAML web browser single sign-on profile consists of the following entities:
Identity provider
An entity that manages authentication information and provides authentication services through the use of security tokens.
Service provider
An entity that provides web services to principals, for example, an entity that hosts web applications. IDMC is a service provider.
Principal
An end user who interacts through an HTTP user agent.
SAML 2.0 is an XML-based protocol that uses security tokens that contain assertions to pass information about a principal between an identity provider and a service provider. An assertion is a package of information that supplies statements made by a SAML authority. You can find more information about SAML on the Oasis web site: https://www.oasis-open.org
The process that occurs when a user enters the IDMC URL in a browser or launches IDMC through a chicklet differs based on whether the organization uses SAML SSO for authentication only or for both authentication and authorization.
SAML single sign-on for authentication only
When a user signs on to IDMC and the organization uses SAML SSO for user authentication only, the following process occurs:
1IDMC sends a SAML authentication request to the organization's identity provider.
2The identity provider confirms the user's identity and sends a SAML authentication response to IDMC. The authentication response includes a SAML token.
3When IDMC receives the SAML authentication response from the identity provider, it completes the following tasks:
- If the user exists, IDMC establishes the user session and logs the user in.
- If the user does not exist and auto-provisioning of users is enabled, IDMC gets the user attributes from the SAML token, creates the user, and assigns the user the default role and the default group, if it is configured. IDMC establishes the user session and logs the user in.
- If the user does not exist and auto-provisioning of users is disabled, IDMC fails the login.
4When a user logs out of IDMC or the session times out, IDMC sends a SAML logout request to the identity provider.
5The identity provider terminates the user session on the identity provider side.
SAML single sign-on for authentication and authorization
When a user signs on to IDMC and the organization uses SAML SSO for authentication and authorization, the following process occurs:
1IDMC sends a SAML authentication request to the organization's identity provider.
2The identity provider confirms the user's identity and sends a SAML authentication response to IDMC. The authentication response includes a SAML token.
3When IDMC receives the SAML authentication response from the identity provider, it completes the following tasks:
- If the user exists, IDMC gets the user roles, groups, and attributes from the SAML token. It finds the corresponding IDMC user roles and groups, and updates the user roles, if necessary. IDMC establishes the user session and logs the user in.
- If the user does not exist and auto-provisioning of users is enabled, IDMC gets the user roles, groups, and attributes from the SAML token and creates the user. IDMC establishes the user session and logs the user in. If the token contains no SAML role or group information, IDMC fails the login.
- If the user does not exist and auto-provisioning of users is disabled, IDMC fails the login.
4When a user logs out of IDMC or the session times out, IDMC sends a SAML logout request to the identity provider.
5The identity provider terminates the user session on the identity provider side.