SAML Configuration Components
SAML configuration components include SAML user identities, metadata, single sign-on (SSO), single logout, and identity providers.
SAML User Identities (Name IDs)
CSM supports the following types of user identities (Name IDs) in SAML assertions:
- Email addresses
- Windows login IDs
All identity providers should support email addresses and some also support Windows login IDs. Using either of these identity types allows for easy association with CSM user information because these types are already supported by CSM. Users only need to select which type to use, verify that the identity provider supports it, and verify that information is populated for all users in the CSM Database and that the ID is unique across all users.
For users on Windows environments, the recommended solution is to use ADFS and Windows account names. This solution is known to work well and potentially requires less logging in. Using account names also avoids issues where multiple users share the same email address. When using other identity providers, particularly those that are hosted outside the organization's network, email addresses might be the only solution available.
SAML defines a format for metadata, which is provided in the form of an XML document that describes what is supported and required by an identity or service provider. Metadata is a convenient way to set up providers without having to enter complex information manually. CSM provides the ability to import metadata for identity providers and to export metadata for the CSM Service Provider.
SAML was intended to be used primarily with browser-based applications. The authentication process is implemented through page posts and redirects through the user’s browser. This normally is automatic and transparent and does not require any interaction with the user, with the exception of the initial login at the identity provider. After the user is authenticated, the user credentials are kept in the browser session. If the user logs in again or logs into a different SAML-based application, the authentication process is normally automatically complete without further prompting.
SAML is designed for browsers. CSM Desktop Client applications open a browser window when initiating support of the SAML authentication process. After SAML authentication has completed successfully, this window automatically closes. Each Desktop Client application maintains its own separate session information, so every time a user logs in to a Desktop Client, they are prompted to log in to the identity provider (with the exception of ADFS, which uses the current Windows session information).
User credentials are kept in the browser session, so it is very important for the user to close all browser applications when logging out to prevent someone else from using their credentials.
SAML defines a single-logout protocol. SAML single-logout is not supported by CSM because of its limited support by identity providers.
The single-logout allows a user to select a global logout feature in a SAML application, which logs out the user from the current application, and also sends notifications to all SAML applications running in the current session to log out the user. There are a number of issues with this feature, and it is not always supported by identity providers. For example, Shibboleth does not support the logout feature at all, and Microsoft ADFS only supports it in a limited way.
SAML Identity Providers
You can configure a SAML service provider such as Microsoft ADFS to work with CSM. Microsoft ADFS supports SAML with Active Directory and is the best choice for organizations where users are internal employees using Windows. For ADFS, the most commonly configured SAML name ID type would be the Windows login ID, although email addresses can also be used. As long as a user is logged into the same network as the ADFS service, the user should be able to use any configured SAML application without ever being prompted for a login. If the user is not directly logged into the network, the user is prompted to login through ADFS.
CSM supports an identity-provider initiated SAML feature. Users log in to the identity provider page using their login information and select CSM as the desired service provider, which transfers users to CSM after login.