See saml Menu

Best Practices & FAQs

Best Practices

Single sign-on (SSO) is not just about convenience, it’s also about security. An enterprise owns its employees identities in the cloud apps it uses and the enterprise should be able to effectively manage those identities.

For example, when an employee leaves a company, the company should be able to prevent that employee from accessing all of its cloud apps. You can help the enterprise achieve this by providing a few key SSO settings in your application.

  • Disallow username/password login

    When customers use your SSO protocol, they usually want to disable an employee’s ability to sign in using a password. You should provide a setting for this.

  • Disallow password resets

    Prevent a user from changing or resetting his password via email.

  • Disallow email address change

    Companies usually want a user to use her work email address only, as this is the email address that the company controls. Don’t let the user change it to a personal email address.

  • Enforce session timeouts

    Don’t let a user be signed on indefinitely: expire idle user sessions. Use the session timeout value from the SAML response or have a setting per account. When a user clicks a link in the app after the session has expired, your app should send a SAML request to the identity provider to see if the user is still authorized to sign in to your app.

  • Force sign-in

    If the application receives a sign-on request, but the user’s browser already has an active session, replace that with a session for the new user. This reduces the risk of a user inadvertently seeing someone else’s data. It is also helpful to people who use SSO portals to sign in to different accounts in the same application.

FAQs

  • How can I test my SAML implementation?

    You can test your application’s SAML implementation by using the generic OneLogin SAML Test app. To add it to your account, go to Apps > Add App > Find Applications.

    For information about how to use it, see How to Use the OneLogin SAML Test Connector.

  • Where can I find some sample SAML requests and responses?

    See the Examples on this site.

  • Do the SAML Toolkits work with Active Directory Federation Sesrvices?

    Yes, the OneLogin SAML toolkits work with AD FS. Ensure that you select SHA1 instead of SHA256 as the hashing algorithm in AD FS.

  • What is the difference between SAML, OpenID, and OAuth?

    Although there is some overlap, here is a simple way of distinguishing between the three protocols:

    • SAML: Single sign-on for enterprise users

    • OpenID: Single sign-on for consumers

    • OAuth: API authorization between applications

  • Should I use OpenID or SAML as my SSO protocol?

    With Google choosing OpenID as the SSO protocol for their Apps Marketplace, OpenID may seem like the obvious choice. Also, SAML is often criticized for its complexity and OpenID is often praised for its simplicity. But before making a decision, let’s take a high-level look at the differences between the protocols:

Feature OpenID SAML

Service provider-initiated SSO

Yes

Yes

Identity provider-initiated SSO

No

Yes

Identity provider discovery

Configured per user

Configured per account

Just-in-time provisioning

Via back-channel SReg request

Directly, in the same user SSO request

Performance

Slower

Faster

Audience

Consumer

Enterprise


Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.

StackOverflow discussions about "onelogin saml"

  • 24
    Votes

    A: SAML/ADFS node.js implementation guide?

    Answered Apr 27 2016

    I recently went through the same thought process: having never heard of SAML, I needed to enable a web application to authenticate via SAML with OneLogin as identity provider (instead of Active … was that the confusion was three-fold: (1) how SAML works, (2) how the passport-saml library works in Node, and (3) how to configure the identity provider (OneLogin, Active Directory, or otherwise). What …

  • 20
    Votes
    4
    Answers

    Q: CAS vs. SAML vs. OAuth2

    Asked Mar 14 2015

    https://github.com/onelogin/ruby-saml CASino and https://github.com/rbCAS/casino-activerecord_authenticator And I am sure there are hundreds of OAuth related gems. I just want a separate Rails … about doing this, I read about CAS, SAML and OAuth2. (I know that the "Auth" in OAuth stands for authorization, and not authentication, but I read enough articles saying how OAuth can be used …

  • 15
    Votes

    A: SAML 2.0 SSO for Ruby on Rails?

    Answered Nov 20 2010

    I played with this one once: https://github.com/onelogin/ruby-saml It might be what you're looking for. …

  • 9
    Votes

    A: Python library for implementing SAML2 based service provider and identity provider?

    Answered Oct 06 2014

    You can also take a look on https://github.com/onelogin/python-saml Is also open source and the toolkit contains 2 demos: A django application and a Flask application. Right now only works … on python 2.X Edited 13/05/2015: There is a python 3.X version (beta, I'm still testing it): https://github.com/pitbulk/python3-saml (thanks bgaifullin for contributing it) Edited 13/04/2016 python 3.X version is stable and tested. …

  • 7
    Votes
    1
    Answers

    Q: SAML based SSO with Laravel

    Asked Mar 15 2016

    : This would be set to saml_acs route //SAML protocol binding to be used when returning the <Response> //message. Onelogin Toolkit supports for this endpoint the //HTTP-Redirect … route // SAML protocol binding to be used when returning the <Response> // message. Onelogin Toolkit supports for this endpoint the // HTTP-Redirect binding only …

Loading...