About SAML

CSM supports SAML 2.0 as a service provider. Before SAML can be used, the integration must be configured in CSM Administrator and in the identity provider.

The CSM Outlook add-in does not currently support SAML authentication.

When a user starts CSM, including the CSM Desktop Client or CSM Browser Client, a Cherwell Service sends an authentication request to the user’s identity provider. Users who are not already logged in to an identity provider are presented a log in window so they can enter their credentials, which are authenticated by the identity provider. If the authentication is successful, the identity provider passes a response containing one or more assertion statements to the Cherwell assertion consumer Service.

An assertion indicates that the identity provider has successfully authenticated the user and includes a user name ID (example: email address or Windows login ID) and possibly additional optional attributes about the user (example: Name, department, and more). The Cherwell Service uses the Name ID to find the user information in CSM (the user can be either a customer or an internal user), and then logs the user in to the Cherwell application without requiring further user interaction.

SAML is designed for browsers. Desktop Client applications open a browser window when initiating support of the SAML authentication process. After SAML authentication has completed successfully, this window automatically closes. Each Desktop Client application maintains its own separate session information, so every time users log in to the Desktop Client, they are prompted to log in to the identity provider (with the exception of ADFS, which uses the current Windows session information).

The figure shows the CSM SAML SSO process.

SAML Single Sign-on Process

The figure shows the CSM SAML IdP Initiated process.

SAML IdP Initiated Login Process