- 3 minutes to read
- Print
- DarkLight
- PDF
How to integrate with SAML 2.0
- 3 minutes to read
- Print
- DarkLight
- PDF
senhasegura supports integration with providers that support the SAML 2.0 protocol. The SAML 2.0 protocol offers considerably greater robustness, more functionality, and better interoperability when compared to the SAML 1.1 protocol.
Important
As of version 3.32, every time a user starts a new session in senhasegura using SSO via SAML, they will need to authenticate themselves again to the identity provider (Azure, Okta, etc.), regardless of whether they are already authenticated to the provider. This ensures that only the legitimate user can access the system.
This behavior adds a layer of security, ensuring that even if malicious actors are able to access browsing data related to external authentication — whether through phishing, session hijacking or XSS (Cross-Site Scripting) attacks — they won't be able to use it to break into the secure password. Requiring users to constantly reauthenticate prevents potential deviations, ensures compliance with regulatory standards, mitigates various attack vectors, and preserves the integrity and validity of user sessions.
The main benefits of this approach are:
- Additional security layer: regular reauthentication request mitigates the risk of session hijacking by acting as an additional security layer. If an attacker gains access to session data or cookies, they’ll still need user credentials to proceed.
- Compliance and auditing: many regulatory frameworks and industry standards require periodic reauthentication to ensure that access controls aren't based solely on stale session data.
- Threat mitigation: reauthentication requirement minimizes the impact of various attack vectors, such as phishing, CSRF (Cross-Site Request Forgery), or XSS (Cross-Site Scripting), where attackers can exploit cookies or stale session tokens.
- User identity assurance: by continuously verifying the user's identity, the system ensures that the person accessing privileged resources is really who they claim to be, reducing the likelihood of unauthorized access.
Requirements
- In order for senhasegura to be integrated with an SSO service that supports the SAML 2.0 protocol, this service must already be configured and have embedded users.
- SAML can only be used as a WEB authentication provider for that application.
Integrate SAML 2.0
On senhasegura, in the navigation bar, hover over the Products menu and select Settings.
In the side menu, select Authentication > Providers.
In the Providers report, enable the SAML provider.
In the side menu, go to Authentication > SAML > Providers.
Click the Add button.
In the SAML provider registration screen, fill in the fields:
- Type: SAML SSO provider type. Use the SAML provider option if you can't find your provider's model.
- Entity ID: identification code of senhasegura in the SAML provider
- SAML provider metadata URL: SAML service URL published by the provider (role descriptor). This XML contains the interface elements, signing or encryption keys, and the SSO protocol endpoints.
- Domain or public IP for URL Redirection: add the domain or IP for senhasegura to generate its own URL redirection.
InfoThis setting will only work if the domain or IP entered is public and accessible.
- Redirection URL: URL of the senhasegura that will receive the authentication steps. Default:
https://senhasegura.mycompany/flow/saml/auth/assert/
, where the example domain,senhasegura.mycompany
, must be replaced by the IP or access domain of the senhasegura instance. - SSO Login URL: URL that the SSO SAML provider provides to senhasegura to be accessed at the time of login.
- SSO Logout URL (Sign-out URL): URL that the SSO SAML provider provides to senhasegura to be accessed at the time of logout.
- Certificate (PEM format): enter the certificate information provided by your provider using SAML.
Click Save.
After performing the process, a Login using SAML button is displayed on the senhasegura login screen. The authentication validity time rules are under the control of the SSO SAML provider.
Do you still have questions? Reach out to the senhasegura Community.