What is SAML?
Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, commonly referred to as "Security Domains". The Security Domains consist of the [a] Identity Provider (IDP) :"that can make assertions about the user", and [b] Service Provider (SP) :thats consumes assertions about the user".
SAML usually involves three things:
A user : The person requesting the service.
A service provider : The application providing the service or protecting the resource.
An identity provider : The service/ repository that manages the user information.
A user requests for a SAML SSO to access a resource that is protected by a service provider. The service provider requests the identity provider to authenticate the user. The identity provider checks the existence of the user and sends back an assertion to the service provider. On the basis of this assertion, the service provider can make an access control decision.
Akamai and Single Sign On - Overview
Akamai provides customers with the option of configuring Single-Sign-On to the Luna Control Centre (the Service Provider) using the customer's own Identity Provider(IDP). User authentication is done by the customer's IDP prior to allowing access to LUNA Portal resources.
Why use SAML SSO?
-- Improved productivity - It takes an average of 20 seconds for a user to log into a resource. Not having to enter a password each time a user needs to access a resource saves time and makes users more productive.
-- Reduce frustration of multiple log-on events and forgotten passwords - Users only have one password to remember and update, and only one set of password rules to remember. Their initial login provides them with access to all resources, typically for the entire day.
-- Increased adoption - SSO reduces the barriers of use for resources. Since it is easier to access applications, users will start using them more.
-- Uniform security layer - SAML is platform agnostic allowing enterprise architects to implement a uniform security layer with existing assets.
How It works
1. First, an end user attempts to access Luna Control Center using a Service Provider (SP) initiated URL. (This URL is unique to every customer who has SAML SSO configured. with the domain taking the form customer_name.luna-sp.com)
2. If the end user is not already authenticated, Luna Control Center redirects the end user to Customer’s federated IdP for authentication.
3. The end user’s browser will now redirect to the Customer’s Identity Provider.
4. The IdP will now authenticate the end user and return an SAML response to the end user's browser. In accordance with the SAML 2.0 specification, this response is digitally signed with the IdP's private key.
5. Now, this response is forwarded to the Luna Control Center.
6. Luna Control Center will verify the response sent by the IdP using the public key. If the response is successfully verified, the end user gains access and successfully logs in to Luna Control Center.
Configuring SAML SSO in the Luna Control Centre
1. Log into Luna Control Centre.
2. Click on the "CONFIGURE" tab and click on "Manage SSO with SAML".
3. Click Create Identity Provider Configuration to create a new configuration.
4. Enter all of the information pertaining to your identity provider in the SSO provisioning application. The asterisks indicate the required fields, where you must enter information in order to successfully create and save a configuration.
5. Click Save to save the configuration. Your new configuration will be listed as "Saved" in the Current Status column.
6. Once you save the configuration, you can download the corresponding metadata file. This metadata file contains information required to configure your IdP. To download the metadata, click the corresponding gear icon and select Download from the drop-down menu.
7. Next, you can provision your configuration. To do that, click the gear icon and choose Provision from the drop-down menu. The current status will show progression from "Not Deployed" to "Pending Deployment" and finally to "Provisioned"