Skip to main content

SaaS

SaaS application allows you to access any SaaS from Safous, with Safous essentially acts as the IdP while conducting Single Sign-On (SSO) with the Service Providers. Currently Safous only supports the use of SAML for SaaS applications.

SAML Flow for SaaS Application​

You can implement SAML flows in two modes. Both modes are supported by Safous.

SP-initiated​

AΒ Service Provider Initiated (SP-initiated) sign-in describes the SAML sign-in flow initiated by the service provider. This is typically triggered when the end user tries to access a resource or sign in directly on the service provider side (for example, when the browser tries to access a protected resource on the service provider side).

IdP-initiated​

AnΒ Identity Provider Initiated (IdP-initiated) sign-in describes the SAML sign-in flow initiated by the identity provider. In this flow, the IdP initiates a SAML Response that is redirected to the service provider to assert the user's identity.

SAML Terms​

To configure SaaS application, you should be familiar with some SAML-related terms. Each SaaS application uses slightly different terms for the same parameter. This article explains each parameter while highlighting the different names used for each one:

1. SAML Request​

A SAML Request, also known as an authentication request, is generated by the service provider to "request" an authentication

2. SAML Response​

The SAML Response is generated by the identity provider. It contains the actual assertion of the authenticated user. In addition, a SAML Response contains additional information (for example, user profile information, and group or role information), depending on what the service provider supports

3. ACS URL / Login URL​

The Assertion Consumer Service (ACS) URL (often referred to as the SP Login URL) is the ACS endpoint. This is the endpoint provided by the SP where SAML responses with assertions are posted. The SP must provide this information to the IdP

4. IdP Sign-in / Login URL​

This is the endpoint on the IdP side where SAML requests are posted. The SP must obtain this information from the IdP

5. Audience URI / SP Entity ID​

The application-defined unique identifier that is the intended audience of the SAML assertion. This is usually the SP Entity ID of the application as defined in the service provider metadata file under entityID

6. RelayState​

The original meaning of RelayState is that the SP can send some value to the IdP together with the Authentication request and then get the same value back. The SP can put whatever value it wants in the RelayState and the IDP should echo the value back in the response. This RelayState parameter is meant to be an opaque identifier that is passed back without any modification or inspection

There is also another, de facto standard use for RelayState when using IdP-initiated log on. In that case, there is no incoming request from the SP, so there is no state to relay back. Instead, the RelayState is used by the IdP to signal to the SP which URL the SP should redirect to after successful sign on. The standard states that RelayState "MAY be the URL of a resource at the service provider"

Configuration​

Name and Description​

Provider and Protocol​

Click Web Applications under Protocols and select SaaS.

Application Parameter​

Set the SaaS application parameter.

Configuration options specific to this article are shown here. For more information on the various options available while configuring applications, refer to the section: Application Parameters.

  • Visible: Control whether the application should be visible in the user portal or not.

    • If toggled on, the user can see, click, and access the application from the user portal.
    • If toggled off, the user cannot see or click the application on the user portal, but it can still be accessed by entering the access URL in a browser.

  • ACS URL: ACS URL provided by the service provider (must use HTTP/S protocol).

  • Entity ID: Entity ID of the service provider. Can accept URN and URL format.

  • Relay State: The value for Relay State to the Service Provider. Can accept URL or hashed values.

  • Site: The list of sites where the application is published. Only select the sites where it can reach the application's address.

  • Domain: Tenant's domain.

Icon: Icon for the application. By default, it will automatically use the favicon of the ACS URL; otherwise, no icon. It can be changed by uploading an icon from the local drive.

  • SAML assertion content: Select the SAML profile to be applied to this application. For more information please refer to [SAML Profiles - Link TBD]

  • Encrypt SAML Assertion: Control whether the SAML assertion sent is to be encrypted or not. If enabled, the service provider's certificate must be provided in the configuration.

  • Allow IDP-Initiated Flow: Control whether the user can log in to the application directly when accessing from the user portal or not.

    • When checked, users are directed to the configured ACS URL.
    • When unchecked, users are directed to the configured service provider start page.

  • Service provider start page: A page of the service provider which typically have the "Sign in with <IdP Name>" button to start SP-initiated Flow.

Identities​

Specify the users or user groups that can log in to the Safous Application Portal to view and access the application. For more information on configuring identities, refer to the section: Identities.

  • For the purpose of this article, we select Any authenticated identity.

Supervision and Auditing Roles​

  • For the purpose of this article, we retain the default settings for each role. Keep the option Same as defined in Roles enabled.
note

Although the Auditor tab is displayed, auditing is not supported in web applications.

Rules​

For more information, refer to the section: Rules.

  • Rules - Click the + button to add a rule.

  • Keep all options at default, including Default profile under Conditions and Default profile (SaaS) under Actions.

Last updated on