Single sign-on using SAML

Single sign-on (SSO) is a session/user authentication process where a user enters one user name and password to access multiple applications. API Portal supports SAML-based SSO.

SSO concepts

The SAML 2.0 standard describes how to exchange authentication and authorization data between entities. This section describes some key concepts.

Service Provider

A Service Provider (SP) protects access to requested resources, such as web sites and applications by applying a security policy. For example, the SP blocks all access to an unauthenticated user and routes the request to the Identity Provider. API Manager acts as an SP.

Identity Provider

An Identity Provider (IdP) is a system that creates, maintains, and manages identity information for users, services, or systems, and provides authentication to other service providers (applications) within a network. An IdP is a trusted entity that users and servers can rely on when they are establishing a dialog that must be authenticated. The IdP sends an attribute assertion containing trusted information about the user to the SP. In an Axway deployment, the IdP is a third-party product.

User agent

A user agent is usually a web browser. The person who uses the browser can be referred to as a user or as a principal.

Security Assertion Markup Language (SAML)

The Security Assertion Markup Language (SAML) is an XML-based solution for exchanging user security information (authentication, authorization) between an IdP and SP. SAML is a product of the OASIS Security Services Technical Committee.

SAML assertion

A SAML assertion is a package of information that contains one or more statements made by a SAML authority. The SAML standard defines three types of assertion statement:

  • Authentication: The specified subject was authenticated by a particular means at a particular time. This kind of statement is typically generated by an IdP.
  • Attribute: The specified subject is associated with the supplied attributes.
  • Authorization: A decision to grant or deny the specified subject access to the specified resource.

Related Links