Administer > System Security > SAML Single Sign-On

SAML Single Sign-On

Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an Identity Provider (IdP) and a Service Provider (SP). SAML 2.0 is the industry standard way to federated identity management based on Single Sign-On (SSO). SSO is a session or user authentication process that permits a user to enter the same name and password to access multiple web applications.

As of version 9.50, Service Manager (SM) supports SP-initiated web browser SSO using the SAML 2.0 protocol. The SAML 2.0 specification defines an exhaustive list of profiles. By leveraging HPE Identity Manager (IdM), SM can support two essential profiles: Web Browser SSO Profile, and Single Logout Profile.

When SAML SSO is enabled, if SM and multiple other HPE applications share the same IdP and LDAP Server (no matter whether the other applications leverage IdM or not), the user needs to enter a user name and password only once to log in to all of these web applications. Additionally, this solution supports single logout for multiple HPE web applications that leverage IdM.

Note SAML SSO is supported for the SM Web Tier client, SRC, and Mobility Client. By default, SAML SSO is disabled in Service Manager, and Service Manager clients (Web Tier, Windows, Service Request Catalog (SRC), Mobility, and web services) log in to the Service Manager Server in the same way as before.

Caution Service Manager 9.50 introduces a new end user portal, that is, Service Manager Service Portal. Be aware that SAML SSO is not supported for Service Manager Service Portal. If you are already using or planning to use Service Manager Service Portal as an end user portal, you are not recommended to enable SAML SSO.

The following are some benefits of using this solution:

  • Provides tighter security controls through consistent enforcement of security policies across all applications
  • Reduces turnaround time for provisioning and deprovisioning of user accounts in applications
  • Fosters identity data collection, access reviews, and security analytics
  • Provides single sign-on experience for end users
  • Enables new users to gain faster access to the resources needed to perform their jobs
  • Eliminates or reduces duplicate user IDs

Note Enabling SAML SSO may slow down user logins. According to laboratory tests by HPE, user logins may take approximately 15% more time.

This solution also provides backward compatibility with the legacy LW-SSO solution, and works fine in FIPS mode.

See the following descriptions for more details about this solution.