Modern IT admins know the challenge and necessity of securely connecting end users to their SaaS applications — whether they’re productivity suites, customer relationship management platforms, or document managers.
Various tools and approaches can make the process easier, including the use of metadata. Here, we’ll explore how to use SAML XML metadata with various single sign-on (SSO) providers and how to take a more expansive approach to user provisioning.
SAML XML Metadata
Security Assertion Markup Language (SAML) passes Extensible Markup Language (XML) certificates between identity providers and SaaS app service providers, rather than user credentials. This approach is more efficient and secure because users only need one set of authoritative credentials to access their permitted SaaS apps, and those apps don’t use or store their credentials.
Depending on the SSO provider, admins might be able to leverage pre-configured SSO connectors, rather than populate them manually. If they use a proprietary or less common app, though, they can use SAML XML metadata files to populate SSO connectors and eliminate some, if not all, of the work of filling out requisite fields manually in the identity and service providers. Once they’ve uploaded the XML files, the identity and service providers can exchange SAML assertions, and the admins can enable SSO across their app portfolio.
AD FS & XML Metadata
Active Directory® admins have a few routes they can take for SSO, including Active Directory Federation Services (AD FS). Through AD FS, they can access federation metadata to establish connections with SSO apps. Admins can download their AD FS federation metadata from Microsoft® and use the resulting XML file. Azure® Active Directory (AAD) similarly publishes federation metadata.
However, it’s worth noting that AD FS and other Microsoft SSO solutions are not necessarily comprehensive identity and access management (IAM) solutions. So, solutions like AD FS or AAD can extend Active Directory credentials to web applications, but they struggle with other resources like Mac® machines, Linux® systems and Linux servers hosted in AWS®, and RADIUS-based networks.
What this means is that using AD FS on top of (Read more…)