SAML (Security Assertion Markup Language) is an open standard for authentication and authorization between a service provider and an identity provider and is commonly used to implement a single sign-on (SSO) service. By using this SSO service, there is no need to type in credentials or remember passwords.
- Authentication - The service provider agrees to trust the identity provider to authenticate users.
- Authorization - Upon request, the identity provider generates an authentication assertion. This means that the user has been successfully authenticated and the service provider can grant the user access to certain systems or content.
Some of the identity providers supported by Devo are Google, Okta, OneLogin, and Azure AD. Suppose a user is logged in to one of these identity providers and wants to log in to Devo, which operates as the service provider. Here's what happens:
- The user accesses Devo and the application loads. Devo redirects the user back to the identity provider and asks for authentication.
- The identity provider generates the authentication assertion as an XML document containing the user’s e-mail address, signs it using an X.509 certificate, and posts this information to Devo.
- Devo, which already trusts the identity provider and has a certificate fingerprint, receives the authentication assertion and validates it using the certificate fingerprint.
- The identity of the user is established and the user is provided with access to Devo.
Here is how an Admin enables SAML for a domain:
Enable Devo as a service provider
Go to Preferences → Domain preferences → Authentication.
Select the SAML2 tab and check the Active box. The service provider's Home URL, ACS URL, and Entity ID are automatically filled in.
- Select the User provisioning checkbox at the bottom of the form if you want users not registered in the domain to be signed up when they enter their credentials for the first time. They will be assigned the No Privileges role.
- Check the Role mapping option if you want to authorize roles created in your SAML account by mapping them to Devo roles defined in your domain. Learn more about this in Role mapping.
- Check the Enable POST-Binding option if you want to use the POST-Binding workflow instead of the default HTTP-Redirect method.
- Select the Update button.
Enable the identity provider
The following articles guide you through enabling each of the different identity providers:
- Google as an identity provider
- Okta as an identity provider
- OneLogin as an identity provider
- O365/Azure AD as an identity provider