In this post, we describe Syndeia’s new integration for User Authentication and Single-Sign-On using OASIS-standard Security Assertion Markup Language 2.0 – better known as “SAML2 SSO”.
"SSO is working great. My team and I worked with our CIS/IAM team to configure SAML/SSO on Syndeia, and it was a rather straightforward process.” – Syndeia early-access Adopter.
“Single Sign-On” (SSO) is an authentication protocol for human users who interact with multiple modern IT services via their Internet web browsers.
As the figure shows, with the new [Login with SSO] button on the Syndeia Web Dashboard, users may authenticate with their organization’s Identity Provider and then browse straight into Syndeia. Industry-standard SAML2 enables all of this user experience.
Figure 1: The Syndeia SAML2 user experience for SP-Originated SSO
When an IT service (a “Service Provider” in SAML2 terms) offers SSO, then that SP delegates to an external Identity Provider (IdP) – and to the user’s browser -- the task of determining whether a visiting stranger is, in fact, a recognized authentic user.
With SSO in effect, a stranger visits one of several SPs offered in the organization and authenticates with the organization’s IdP once (for the duration of a session which is typically a business day long). The IdP challenges the stranger to prove their identity in one of several multi-factor ways. If the IdP decides that the stranger is an authentic user, it establishes a session for that user and informs the awaiting SP that the stranger is, in fact, an authentic user. The SP retrieves any user profile information from the SAML Response that it needs and then grants the user access to the services within the SP.
When the same user, using the same browser, visits another SP, that SP will also delegate the authentication challenge to the IdP and to the browser. For these secondary sign-ins, the IdP and the browser already recognize the user based on saved session state and so the awaiting SP is informed immediately that the user is authentic -- without the IdP having to challenge the user for re-entry of their credentials.
Users enjoy SSO because: SSO minimizes how often they must access MFA devices, type pass phrases, or provide PIV/CAC certificates and because SSO reduces the number of different sets of credentials these users must remember and recall.
Cybersecurity staff require SSO because it reduces the number of entries into the IT network and makes harder a hacker’s Operational Security (OPSEC) attacks – because users, the weak spot in the security armor, have less information that they might divulge.
Intercax offers you Syndeia, the digital thread platform for model-based engineering – now with user-friendly, cybersecure SAML2 SSO.
Although we at Intercax enjoy talking about and implementing SAML2 and other protocols, this blog is not our chance to tell you all that you want or need to know about SAML2. Click here to read more.
Future blog posts in this series introduce additional new features in Syndeia 3.5, including more integrations and options for containerized deployment. Keep reading and stay secure out there!
An accompanying video demonstrates the user experience for Single Sign-On using Syndeia 3.5 Web Dashboard.
Glossary
- SAML2: “Security Assertion Markup Language 2.0”, the definitive industry standard for federated identity authentication in user web flows.
- SSO: “Single Sign-On”, a web user experience that allows authentic users to sign in once with an Identity Provider and to then not have to provide identity proof for the remainder of a session of tunable duration when using several Service Providing applications.
- MFA: “Multi-Factor Authentication”, an authentication protocol that challenges the stranger to provide identity proof using multiple factors, not just one.
- CAC/PIV: “Common Access Card” and “Personal Identity Verification”, credit-card-sized cards with a smart chip that holds X.509 security certificates and user profile information. (Commonly used in the Defense Industrial Base as one MFA factor.)
More in the Blog Series, New in Syndeia 3.5:
To learn more about new capabilities coming in Syndeia 3.5, refer to other posts in this blog series.
- Part 1 – Syndeia – Vitech GENESYS Integration
- Part 2 – Syndeia – SmartBear Collaborator Integration
- Part 3 – Syndeia – ESTECO Volta Integration
- Part 4 – Syndeia – RESTful Integration
- Part 5 – Syndeia – SAML2 and SSO (This post)
About Syndeia
If you are new to Syndeia and want to learn more, we recommend the following: