SAML 2.0 – a popular B2B SSO protocol

In the past, single sign-on (SSO) was typically achieved only through “password fill”, where the SSO software would prompt the user the first time he or she visits a website to enter their password. Then the next time the user visits the site, the SSO software detects that there is a password saved and either automatically fills in the user’s password or prompts the user to authenticate before filling in the password. Softex’s OmniPass software and password save feature in Chrome, Edge and Firefox, are just some example of these SSO password managers. SAML was born from the idea that instead of saving a user’s username and password, a website that needed to login a user (“Service Provider”) could talk securely with the SSO software (“Identity Provider”), so the SSO software could authenticate the user’s identity and securely send back information about the user that authenticated so that the website could just login that user without any password. As long as the website were to “trust” the SSO software, this could be achieved.

The only potential downside would be that the SSO software AND the website would both need to implement and be compatible with the standard, but for critical B2B applications, this would not be a huge challenge. In fact, today, a majority of your popular B2B service providers all implement SAML (e.g. Office365, Salesforce, ADP, GitHub, WebEx, Zoom, etc, etc.) Since identity management systems store user information and already need to authenticate users for services, SAML has been implemented by most IAM systems as well so that the IAM system can be configured to provide SSO to your major B2B service providers via SAML. OmniDefend supports SAML and ties in its multi-factor authentication capabilities to allow for biometric, smart card, OTP, PIN or even mobile phone push notification to replace the traditional username and password credential to login to a website.

How to configure SAML authentication?

The process of configuring SAML authentication involves establishing a trusted connection between the service provider website and the SSO software. Let’s assume you are trying to configure Salesforce to login using biometric authentication from OmniDefend. You will have to configure Salesforce by creating a SAML setting for OmniDefend where you will tell Salesforce the URL of the OmniDefend server and provide the signing and optionally encryption certificates from the OmniDefend server. This configures Salesforce to trust OmniDefend. You will also need to configure OmniDefend to trust login requests from Salesforce by doing essentially the same procedure in OmniDefend.

In the Salesforce configuration screen, you will see three settings that you will see in most applications.

Salesforce.com SAML configuration screen

On the OmniDefend side, you will need to create a SAML application template for Salesforce and provide information about the Salesforce tenant so that OmniDefend can trust the login request coming from Salesforce and can securely send back the authenticated user information back to Salesforce.

In OmniDefend there are two major items that need to be configured for any SAML service provider.

OmniDefend SAML configuration for Salesforce.com

There are other parameters if the service provider supports SAML logout and also if the response should be encrypted. The final result is shown in the video below.

Login to Salesforce.com using OmniDefend biometrics

Now repeat with all your other most used B2B applications like Office365, WebEx, Zoom, etc. and you will be reducing your password costs and increasing your security. If you want to learn more about how the SAML protocol actually works, I would recommend this Medium article.