How to Enable SAML for an App

SAML or Security Assertion Markup Language is a universal authentication and authorization protocol used for application access. The process mirrors a “digital handshake” between an Identity Provider (such as Bitium) and a Service Provider (the application). Bitium supports over 300+ applications for SAML and strongly recommends turning on SAML for the applications that support this type of SSO.

We recommend turning on SAML for the following reasons:

  • SAML authentication is more secure.
  • SAML login speeds are faster than form-based authentication.
  • SAML authentication allows for easier deprovisioning and offboarding.

More Secure

When an application is SAML-enabled, a user can no longer use a password to access that application. Organizations that turn on SAML for their applications significantly increase their security posture by way of reducing the volume of potentially vulnerable credential sets used by their employees.

Note: There are a few applications (such as Salesforce and Dropbox) that allow for both SAML SSO and passwords to be used simultaneously, which facilitates the transition from credential-auth to SAML SSO for end-users.

Fast Logins

Applications turned on for SAML perform faster logins than traditional form-based authentication methods. In the background, form-based logins require a series of steps, many of which include:

  • A check to see if a user is already logged into a pre-existing session
  • Navigation to the login URL
  • Fill in of username and password field
  • A click of the submit button
  • A check to ensure the conditions for a successful login are correct

With SAML turned on, none of the aforementioned steps are necessary because the exchange of data is already preconfigured by an administrator. With one click, a user will be passed into the underlying application.

Easy Deprovisioning

IT admins can easily offboard employees from SAML-enabled applications, because users were unable to use a workable password to access the application. As a result, admins can simply suspend the user in Bitium to deprovision access to the underlying application. Without access to Bitium, the user will not be able to access the application. Even better, IT admins don’t have to worry about having to clean up or reset a password in the underlying application.

SAML Setup for Administrators

IT administrators can easily setup SAML for an application in Bitium. The typical admin setup process for a SAML app is outlined below:

  1. Manage “your organization.”

  2. Click “Manage Apps.”

  3. Search and select the application.

  4. Click “Single Sign-On” tab and select “SAML Authentication.”

  5. Bitium provides the following information for an admin to “copy” over into the app provider’s SSO setup page: Entity ID, Login URL, Logout URL, Metadata URL, X.509 Certificate, and X.509 Certificate Fingerprint. (SSO requirements vary from app to app. Setup on the SAML application side may be self-service, but it also may involve emailing the required information over to a contact with the app provider.)

    Copy over SSO details into app

  6. Paste over the expected information from the app provider SSO setup page into the Bitium SSO setup page. (The empty fields included on the Bitium SSO setup page indicate the requirements that Bitium expects from the app provider.)

    Copy over SSO details into Bitium

  7. Click “Save” in the application provider.

  8. Click “Save Changes” in Bitium.

Assign a SAML App to a User

  1. Manage “your organization.”

  2. Click “Manage Apps.”

  3. Search and select the SAML application.

  4. Click “Assign Users.”

  5. Select the users you’d like to assign access to.

    Assign user to SAML app

  6. Click “Done.”

Note: For many SAML apps, the user has to have an existing SAML account in the app prior to assigning the user access in Bitium. Bitium also supports Just-in-Time provisioning, which allows for new users accounts to be created on the fly. (Note: The application has to support Just-in-Time provisioning as well.) When a user clicks on the app icon to log in for the first time, an account will be created in the underlying application.

Assign a SAML App to a User with Group Provisioning

  1. Manage “your organization.”

  2. Click “Manage Groups.”

  3. Select Group.

  4. Click “Add Apps” to add SAML apps to group.

  5. Select SAML apps.

  6. Click “Done.”

    Add SAML apps to group

  7. Return to group page. Click “Add Users” to assign users to group.

  8. Select users to add to group.

    Assign users to group

  9. Click “Done.”

When a SAML app is added to a group, all users nested in the group will be auto-assigned the application. Users with existing accounts in the SAML applications will be mapped accordingly (the email address in the SAML app for a particular user needs to match the email address for that user in Bitium).

User Experience

With SAML enabled, users will not detect any noticeable changes to their everyday workflow. The main notable difference will be that users will no longer be able to use a password to access their application. The user experience is outlined below.

Dashboard Access

  1. Log into Bitium.

  2. Click app on dashboard (no password will be available).

    Click app icon to login

  3. User will be passed right through to app.

Direct Access

  1. Navigate to application’s website.

  2. On the login page, enter in email address (some apps may require that you click “Single Sign-On”).

    User enters in email address

  3. User will be redirected to a Bitium login page.

  4. User enters in Bitium credentials.

    User enters in Bitium password

  5. User will be passed through to intended application.

    User is authenticated into app