Support SAML in your application with Stormpath

Today we launched support for the SAML standard for authentication and user management.

Applications that use Stormpath for user management will now be able to use popular identity providers (IdPs) for Single Sign-On (SSO) capability. In other words, Stormpath-backed apps are now SAML service providers that work with SAML services like OneLogin, Okta, Salesforce or any other SAML IdP, including home-grown and open source options.

SAML support is one of the features most frequently requested by our customers, and it raises the bar on the enterprise-readiness of the Stormpath service. With multi-tenant customer partitioning, LDAP/AD integration, social login, high scalability and availability, Stormpath can fully support identity in an enterprise service or cloud platform. B2B applications that require multi-tenancy or have customers using different IdPs will save a great deal of time (and frustration) with this feature. User-initiated Single Sign-On also lets you build applications that provide a seamless end-user experience.

And if you want to skip reading you can watch our free webinar, No-Code SAML Support with Stormpath.

Let’s dive in!

First, What Is SAML?

SAML (Security Assertion Markup Language) is an XML-based standard for securely exchanging authentication and authorization information between entities—specifically between identity providers, service providers, and users. Well-known IdPs include Salesforce, Okta, OneLogin, Shibboleth. Your apps are the SAML service providers, and the Stormpath API makes it possible to integrate them with the IdPs (but without headaches).

Stormpath SAML Service Provider Support

Our initial support for SAML includes an update to the Stormpath REST API, along with our SDKs (see Resources below). Instead of working with XML or even directly with SAML itself, Stormpath allows you to set up SAML consumption by just adding some configuration to our SDK and the Stormpath console. From there, your applications can consume SAML assertions from any SAML IdP.

Now you can create applications that deliver a unified and seamless SSO experience for end users, without any custom code. Stormpath-backed applications can now authenticate users without requiring a separate login. Like all features at Stormpath, SAML support comes with pre-built customer screens and workflows through ID SIte.

Easy SAML Consumption from Any IdP

With Stormpath your application can support multiple IdPs, so you can connect your application to separate userstores, e.g. Okta, Salesforce, and Shibboleth with just a little configuration. This makes it easy to meet your customer requirements: if one customer needs your app to connect to their home-grown IdP, and another uses Ping Identity, Stormpath SAML makes the integration easy for your applications and developers.

Configuration-based attribute mapping enables seamless support for different identity providers, allowing them to assert account attributes into your application. For example, if one IdP says that variable firstName=Tom and another IdP says fn=Tom, you can use Stormpath to map both to a variable called givenName within your application.

Multi-Tenant Customer Data Are Built In

Many Stormpath-backed applications use our robust Authorization functionality to partition customer organizations in their SaaS application, and this release makes SAML very accessible for those applications.

Typically, SAML implementations require a separate instance for each identity provider. Stormpath’s approach to SAML support is free from this constraint, giving you the flexibility to support diverse IdPs for different customer organizations within the same instance of your application. This also makes it easy to achieve customer compliance and privacy requirements, without a lot of operational overhead to also support SAML.

SP-Initiated Login Flows or IdP-Initiated Flows

Stormpath SAML support also provides flexibility in the point of entry for authentication. End users can access the IdP portal first and then be automatically authenticated for the Stormpath-backed application. Or they can enter through the Stormpath-backed application and automatically be authenticated for all the apps attached to the IdP as well.

Stormpath SAML Resources

We will be publishing a number of tutorials and demos for SAML support in our SDKs in the coming weeks.