SAML Single Sign-On in AppScan Enterprise

Security Assertion Markup Language (SAML) is an XML-based open-standard for transferring data about user identities between Identity Provider (IdP) and Service Provider (SP). In an AppScan Enterprise environment, AppScan Enterprise application acts as a SP that is configured to third-party IdPs such as Okta, PingFederate, and Microsoft ADFS for user assertion through Single Sign-On (SSO). The advantage of SAML-SSO model is that along with AppScan Enterprise as SP you can also offer other applications as SPs in your organization to which your user can login with a common login credential. Essentially, the SSO process allows your users to seamlessly login to multiple sessions of AppScan Enterprise application or other applications (SPs), hosted within the same domain, using a single login ID and Password. The SAML-SSO login is achieved by using LDAP or Active directory databases associated to the applications that are offered as SPs.

The SAML-SSO model deals with three entities - Principal, Service Provider (SP), and Identity Provider (IdP), where:

  • Principal - A user who request a service from the Service Provider.
  • Service Provider (SP) - Delivers access to the principal (user) to login to the requested application on the basis of the authentication (username and password credentials) protocol exchanged and asserted by an IdP.
  • Identity Provider (IdP) - An authentication service that identifies and authorizes the principal (user) who is requesting to login to the Service Provider, in this case AppScan Enterprise application application.
Note: A single IdP can support SAML assertions for different applications hosts different service providers.

In the SAML-SSO model, an SP and the IdP establish a trust by exchanging a digitally signed XML document (certificate) that contains user authorization data for authenticating the user login session. Because the IdP is already entrusted by SP, the user assertion request is received and verified to authenticate for approving access to login to the specific (requested) application. This SSO login approval is a process that occurs during the first login session of the users into the AppScan Enterprise application from an IdP, and thereafter the same user can login to another session of AppScan Enterprise application or a different application without entering any user credentials.

A SAML property file is available as a configurable component in the AppScan Enterprise installation folder. You must configure the SAML property file with the Service Provider and Identity Provider configuration properties.