Today we launched support for the SAML standard for authentication and user management.
Applications that use Stormpath for user management will now be able to use popular identity providers (IdPs) for Single Sign-On (SSO) capability. In other words, Stormpath-backed apps are now SAML service providers that work with SAML services like OneLogin, Okta, Salesforce or any other SAML IdP, including home-grown and open source options.
SAML support is one of the features most frequently requested by our customers, and it raises the bar on the enterprise-readiness of the Stormpath service. With multi-tenant customer partitioning, LDAP/AD integration, social login, high scalability and availability, Stormpath can fully support identity in an enterprise service or cloud platform. B2B applications that require multi-tenancy or have customers using different IdPs will save a great deal of time (and frustration) with this feature. User-initiated Single Sign-On also lets you build applications that provide a seamless end-user experience.
And if you want to skip reading you can watch our free webinar, No-Code SAML Support with Stormpath.
Let’s dive in!
SAML (Security Assertion Markup Language) is an XML-based standard for securely exchanging authentication and authorization information between entities—specifically between identity providers, service providers, and users. Well-known IdPs include Salesforce, Okta, OneLogin, Shibboleth. Your apps are the SAML service providers, and the Stormpath API makes it possible to integrate them with the IdPs (but without headaches).
Our initial support for SAML includes an update to the Stormpath REST API, along with our SDKs (see Resources below). Instead of working with XML or even directly with SAML itself, Stormpath allows you to set up SAML consumption by just adding some configuration to our SDK and the Stormpath console. From there, your applications can consume SAML assertions from any SAML IdP.
Now you can create applications that deliver a unified and seamless SSO experience for end users, without any custom code. Stormpath-backed applications can now authenticate users without requiring a separate login. Like all features at Stormpath, SAML support comes with pre-built customer screens and workflows through ID SIte.
With Stormpath your application can support multiple IdPs, so you can connect your application to separate userstores, e.g. Okta, Salesforce, and Shibboleth with just a little configuration. This makes it easy to meet your customer requirements: if one customer needs your app to connect to their home-grown IdP, and another uses Ping Identity, Stormpath SAML makes the integration easy for your applications and developers.
Configuration-based attribute mapping enables seamless support for different identity providers, allowing them to assert account attributes into your application. For example, if one IdP says that variable firstName=Tom and another IdP says fn=Tom, you can use Stormpath to map both to a variable called givenName within your application.
Many Stormpath-backed applications use our robust Authorization functionality to partition customer organizations in their SaaS application, and this release makes SAML very accessible for those applications.
Typically, SAML implementations require a separate instance for each identity provider. Stormpath’s approach to SAML support is free from this constraint, giving you the flexibility to support diverse IdPs for different customer organizations within the same instance of your application. This also makes it easy to achieve customer compliance and privacy requirements, without a lot of operational overhead to also support SAML.
Stormpath SAML support also provides flexibility in the point of entry for authentication. End users can access the IdP portal first and then be automatically authenticated for the Stormpath-backed application. Or they can enter through the Stormpath-backed application and automatically be authenticated for all the apps attached to the IdP as well.
We will be publishing a number of tutorials and demos for SAML support in our SDKs in the coming weeks.