Why SAML

Increasingly, organizations are federating their IT systems. The goal is to coordinate sharing and exchange of information between multiple, semi-autonomous and de-centralized enterprise systems. These systems can be hosted internally, in external data centers, or in the cloud. Federated identity systems use single sign-on technology to connect users to all these systems. The most common enterprise protocol for this kind of federated authentication is SAML.

The SAML protocol lets you federate different systems together, even if they are hosted in separate clusters, in a remote data center, or in the cloud. Under SAML:

• Applications and resources - such as Web Central - are protected by Service Providers (SPs).
• Authentication is managed by an Identity Provider (IdP).
• Your system administrator registers each Service Provider with the Identity Provider to establish a trusted relationship.

Some installations prior to V.23.2 integrate Archibus with SAML infrastructure, but these solutions support only web browsers. Archibus V.23.2 and later includes support for the SAML 2.0 authentication protocol for the entire Archibus product line. That includes web browser applications, Archibus Mobile apps, Smart Client, Smart Client Extensions for AutoCAD and Revit, and the Reservations Plugin for Microsoft Outlook.

Using SAML, organizations can:

• Manage all users and all systems centrally. If you remove a user from the Identity Provider, they are removed from all systems.
• Use the organization's own single, consistent and preferred means to authenticate users.
• Avoid having client web browsers or client applications store any username and password or other authentication information.

Archibus V.23.2 and later is verified to work with the Shibboleth reference implementation. SAML 2.0 Service Providers compatible with this reference implementation will work with Archibus V.23.2 and later. Configuration and administration of SAML Service Providers, and the Identity Provider, varies among SAML implementation vendors.

Note: If your site integrates Archibus with Esri ArcGIS Online or ArcGIS Server, your configuration will require additional configuration to connect these servers. Please see the Esri documentation.

How SAML Works

For unauthenticated users who request access to SAML-protected Web Central, the Service Provider redirects the request to the Identity Provider. The Identity Provider is the central authentication server for all users and applications in the organization.

The Identity Provider processes the request by presenting its own sign-in method. This sign-in method can be a dialog with username and password prompts, a two-factor authentication, a physical USB key, or a bio-metric scan.

Once the user is accepted, the Identity Provider creates a SAML session and redirects the successful request and trust information back to the Service Provider, which allows that request and subsequent requests through to the Web Central server.

The SAML session has a configurable timeout. When this timeout expires, the next user request to Web Central undergoes the same authentication cycle described above.

Note: When you configure the SAML timeout, set it less than the Web Central timeout.

The figure below illustrates how SAML authentication works with Archibus:

See also

Configuring Single Sign-On with SAML