Tell me about SAML SSO

How does it work?

 

Account Requirements

 

Enable SAML for all users

 

Enable SAML for select users

 

Can I also enable Symantec VIP?

 

Can I set the IDP SSO URL as my Custom Exit URL in Azure?

 

How does it work?

When SAML SSO is activated for a user account, the user will no longer log in to the service using their service credentials. Instead, users will click a link to enter a username and password to authenticate to their identity provider (IdP). Upon successful authentication, the IdP redirects to the service's Assertion Consumer Service URL, the service validates the contents of the response, resolves the usernames and starts the user's session.

Account Requirements

The account must have these settings:

1) SAML SSO must be enabled for your subscription by support or your account manager.  

2) The New Data Security Model must be accepted for the subscription. A Manager can opt in by going to Users > Setup > Security.

Note: The New Credentials Security Model (NCSM) has no dependency on SAML. So ensure that SAML and NCSM must not be enabled simultaneously. 

Enable SAML SSO for all new users

Go to Users > Setup > SAML SSO Setup. Select the option "Enable SAML SSO for new users".

Enable SAML SSO for select users

Go to Users > Users and edit the user's account. You'll see the SAML SSO option in the Security section.

Can I also enable Symantec VIP?

If both Symantec VIP and SAML SSO are turned on for the same account, SAML SSO will be used and the Symantec VIP option will be ignored.

Can I set the IDP SSO URL as my Custom Exit URL in Azure?

In Azure, you cannot set IDP SSO URL as a Custom Exit URL. This is because the SSO URL, by default, expects the SAML Request parameter to be added to the URL. However, the IDP SSO URL does not have the request parameters. This results in an error from Azure AD.