The following article describes EasySend’s platform Single Sign On (SSO) capabilities. It describes what SSO is, what Security Assertion Markup Language (SAML) is, how SSO and SAML work and how to configure them.
What is SSO?
(See Figure 1)
SSO is a method of authentication that allows users to login to several applications with the same credentials. SSO replaces the need to manage separate usernames and passwords for each application individually. For example, when users click "Sign in with Google", they can log-in to non-Google applications using their Google account.
Figure 1: SSO Logic
What is SAML
(See Figure 2)
SAML is a standard method for implementing SSO. It is used as a web-based authentication mechanism, relying on the browser agent to broker the authentication flow. SAML allows EasySend to communicate with a customer's browser without accessing their authentication systems at any point, which is an important security feature. Figure 2 describes the SAML flow between the customer's user and EasySend's platform:
- The user uses SAML to identify themselves using their credentials against their organization's Identity Provider (IDP). For example, Azure AD.
- The IDP and EasySend's platform communicate trough a browser using SAML trusted relationship to verify the credentials of the user.
- The user is authenticated and is allowed or denied access to EasySend's platform.
Figure 2: SMAL Flow
How Does SSO Work?
(See Figure 3)
A third-party SSO provider is located between the IDP and the Service Provider (SP), in our case, the EasySend platform, to create the trusted relationship. Figure 3 describes the SSO provider functionality:
- The service provider, using SAML, communicates with the IDP to create a list of the customer’s users’ profiles.
- The SP, using SAML, communicates with the SSO provider and gets information such as which of the users are authenticated to access the platform.
The SSO provider duplicates and shares the customer's user’s information (but does not manage them) while creating the trusted relationship between the IDP and SP.
Figure 3: SSO Provider Flow
Just in Time (JIT) Provisioning
JIT Provisioning is a SAML protocol-based method that is used to create users the first time they log in to an application via the IDP. This eliminates the need to provision users or create user accounts manually. To enable JIT provisioning, an SSO must be set between the SP and the IDP, and a confirmation that user attributes required by the application, such as username or email, are included. As a result, when new users attempt to log in to the application for the first time, they will instantly invoke the creation of their account, rather than requiring an admin to do it manually. SAML assertions provide the web application with the information it requires from the identity provider. Figure 4 describes the JIT provisioning flow:
Figure 4: JIT Provisioning Flow
- A user tries to log into an application using SSO.
- The login request is redirected to the IDP where the user is authenticated.
- The user does not exist, so a new user is created.
- User is logged into the application.
Use Case Example
- Company A has its own AD, where they manage their users - usernames, passwords, and permissions.
- Company A would like to allow employees to access EasySend's platform.
- Instead of using a dedicated authentication system, they connect their existing IDP (the AD with an Azura AD service for example) with SSO.
- A user from company A tries to log-in to EasySend's platform.
- If The user does not exist, a new JIT user is created.
- On EasySend's side (the SP), the platform communicates only with the SSO provider to learn about the user’s authentication, attributes, and permissions.
Figure 5: Use Case Example
SSO Configuration - Overview
The SSO provider is configure to establish connection between the IDP and the SP:
- IDP SSO Provider configuration:
- A connection is created between the customer's IDF the the SP's account in the SSO provider.
- The customer provides a certificate that allows the SP the decrypt the SAML response.
- SP SSO provider configuration - this configuration is internal and is done by EasySend implementers.