SAML Web Browser SSO Support in the Akana API Platform
This section provides information specific to the SAML implementation in the Akana API Platform.
Table of Contents
- Supported features
- Supported SAML bindings for single sign-on
- SAML version
- Supported identity providers
The Akana API Platform version 7.2 and later supports single sign-on with SAML as the token for authentication (Web Browser SSO Profile) in the following scenarios:
- To authenticate developers in the developer portal.
- To authenticate end-users when issuing OAuth grants.
Supported SAML bindings for single sign-on
Policy Manager/Community Manager supports the following SAML bindings for Service Provider-initiated single sign-on in Community Manager version 7.2 and later:
For authentication request:
- HTTP Redirect
- HTTP POST
Note: this solution currently does not support HTTP Artifact for authentication request messages.
HTTP Redirect sends the full authentication request as a query parameter, whereas HTTP POST sends the information as a POST parameter, in the payload.
The Service Provider cannot do a redirect with POST, so with HTTP POST the Service Provider returns an HTML form, and when the form is loaded into the browser it submits the form information to the Identity Provider.
Tip: One reason you might choose to go with HTTP POST rather than HTTP Redirect is because of limitations in the length of the redirect URL. Signing of the SAML authentication request adds to the length of the message, and if the URL is too long it can cause problems.
For response (issuing the SAML assertion):
- HTTP POST
- HTTP Artifact
HTTP POST sends the full response as a POST parameter, in the payload. HTTP Artifact sends the artifact as a query parameter; the artifact is a handle for the full response.
In order to use HTTP Artifact binding in response messages, you must set up an Artifact Resolution Service (ARS) with the IdP.
Both bindings are secure. However, HTTP Artifact is more secure. This is because after receiving the artifact reference, in order to access the full artifact via the Artifact Resolution Service to get the entire message (SAML Assertion), the service provider must validate again with the sender in a synchronous exchange.
Currently Not Supported
The Akana API Platform currently does not support the following:
- SP-initiated SLO (single logout)
- IdP-initiated SLO
- HTTP Artifact binding for authentication of the request from the Service Provider to the Identity Provider.
The Akana API Platform solution for using SAML for single sign-on supports SAML Version 2.0.
Supported identity providers
The Akana API Platform SAML single sign-on feature should work with any SAML Identity Provider that supports SAML Web Browser SSO Profile for Service Provider-initiated SSO. It has been tested with the following:
- SSOCircle: see http://www.ssocircle.com
- PingFederate: see https://www.pingidentity.com
- OpenSSO (now less popular) and a more recent product that builds on OpenSSO, OpenAM by Forgerock: https://www.forgerock.com/platform/access-management/
This SAML documentation gives general instructions applicable to any Identity Provider (see Setting Up the SAML Web Browser SSO Feature), and provides a couple of examples of setup for supported Identity Providers (see Identity Provider Configuration Examples).