Stormpath recently added support for SAML (Security Assertion Markup Language) user management including both Service Provider (SP) initiated and Identity Provider (IdP) initiated authentication. (SAML is an XML-based standard for securely exchanging authentication and authorization information between entities.)

Instead of working with XML or even directly with SAML itself (which none of us wants to do), Stormpath allows you to support SAML login by just adding some configuration to our SDK and the Stormpath console. From there, your applications can consume SAML assertions from any SAML IdP.

SAML Terminology and Roles

Within a SAML workflow, the IdP (Identity Provider) is the data store that holds an application’s account information, including usernames and passwords. The IdP is responsible for password reset, two-factor authentication, and all other user management functions. Well-known enterprise IdPs utilizing SAML include Okta, Ping, ADFS, OneLogin, Salesforce, and Shibboleth.

The SP (Service Provider) is your application which, by utilizing the Stormpath API, can integrate with these IdPs without the headache of working directly with XML or SAML itself. Our integration with the IdP allows your application to grab an identity for any login or access request made and determine who each user agent is and what they should be allowed to do. User agents are the end users of your application, the people (and accounts) making those login or access requests.

Stormpath-assisted Connection vs. Direct Connection to Individual IdPs

So, why would an application want to use Stormpath for SAML connections, rather than connecting to those IDPs directly?

For us, it comes down to flexibility and ease of use. By offloading the burden of user identity management, including authentication and authorization, to Stormpath, your team resources can remain focused on building the core functionality of your application.

As a developer, you can grab the Okta SDK and add it into your application, but what about when you find yourself needing to support multiple IdPs? The SDKs you get from Okta or OneLogin are designed to work only with their product, and either manage the users stored in an IdP, or work indirectly with them as an IdP within your application.

In real life, most SaaS applications need to support multiple IdPs, and they also need to segment users across organizations. You could build that, but then you take on the burden of consuming the XML, working with someone else’s third party library, and overcoming any lack of inherent flexibility in each individual IdP.

Multi-tenancy Across Organizations and Identity Providers

stormpath-multi-tenancy

 

The Stormpath API offers a simple, built-in install path to manage the burden of integrating with any IdP. We also provide configurable data mapping, which brings clarity to the chaos of how information may be conveyed from multiple tenants.

Flexible Support for Both Service and Identity Provider Initiated Login Workflowsstormpath-saml-workflows

Stormpath’s SAML features are designed to support both Service and Identity Provider initiated workflows. End users can access the IdP portal first and then be automatically authenticated for the Stormpath-backed application. Or they can enter through the Stormpath-backed application and automatically be authenticated for all the applications attached to the IdP.

This flexibility allows our clients to create applications that deliver a unified and seamless SSO experience for end users, without any custom code. Stormpath-backed applications can authenticate users without requiring a separate login. Like all features at Stormpath, SAML support comes with pre-built customer screens and workflows through ID Site.

Intelligent Configuration-based Attribute Mapping

Configuration-based attribute mapping enables seamless, intelligent mapping of data from different IdPs to one consistent data model, thus allowing them to assert account attributes into your application. For example, if one IdP uses variable “firstName=Tom” and another IdP says “fn=Tom,” Stormpath can map both to a variable called “givenName” within your application.

stormpath-saml-attribute-mapping

saml-attribute-mapping

To learn more about what’s under the hood with our integration, check out the Product Documentation or watch our webinar!

For information on deciding to integrate the Stormpath API into your application, email [email protected] and talk directly with one of our architects.