Single Sign-On (SSO) via SAML 2.0 enables users to authenticate with SmartSimple through their organization's existing Identity Provider, removing the need for a separate SmartSimple login. Optionally, just-in-time provisioning can automatically create user accounts in SmartSimple on first successful login.
Who: Global Administrators.
What Is Single Sign-On via SAML 2.0
SSO is a subset of federated identity management. It handles authentication only, not account management or synchronization with SmartSimple.
SmartSimple supports SAML (Security Assertion Markup Language) 2.0. In this implementation, SmartSimple acts as the Service Provider. The client hosts, configures, and manages the Identity Provider service.
Two authentication flows are supported:
- Identity Provider-initiated: The user authenticates on the client-side system first. The Identity Provider generates a base64-encoded SAML assertion and transmits it to the user's browser, which relays the assertion to SmartSimple for authentication.
- Service Provider-initiated: SmartSimple sends a SAML authorization request to the Identity Provider and redirects the user to authenticate. After successful authentication, the Identity Provider redirects the user back to SmartSimple with a base64-encoded SAML assertion response.
When to Use Single Sign-On via SAML 2.0
Use Single Sign-On via SAML 2.0 when:
- The organization has an existing identity provider and wants users to log in to SmartSimple without a separate username and password.
- Authentication and access management need to be centralized across multiple systems.
- Consistent authentication policies, such as multi-factor authentication, need enforcement through the Identity Provider.
- Users need seamless access to SmartSimple from within an existing corporate portal or intranet.
Security Implications
Consider the following security-related settings when implementing SSO:
- Session Timeout Alert: It is recommended to disable the Session Timeout Alert by going to the Security tab in Global Settings and toggling on Disable Session Timeout Login Prompt. This alert does not apply to users who log in via SSO.
- Enforce SSO: By default, SSO is an additional authentication method. To restrict specific user roles to SSO-only login, preventing username and password authentication for those roles, use the Enforce SSO setting in the Integration tab of Global Settings.
- X.509 Signing Certificate for SP-Initiated SSO: When using Service Provider-initiated SSO, SmartSimple sends a signed authentication request, embedded with the signed value and the X.509 certificate, to the Identity Provider. Enable the Sign authentication request sent to Identity Provider setting in the SSO configuration to use this feature.
Resources
For more information about SSO, see: