Introduction

Security Assertion Markup Language, known as SAML, simplifies the federated authentication and authorization processes for users by implementing a secure method for passing user authentications and authorizations between the identity provider and service providers.

With the introduction of SSO Configurations powered by Scalefusion's OneIdP, we provide a simplified Identity and access management where admins can configure conditional access to their Web-Application (SAAS or On-Prem) that supports SAML based authentication, ensuring that corporate assets are accessed only on a managed device.

Many small and medium-sized businesses, as well as large corporations, rely on a wide range of software as a service applications. Implementing conditional access to these applications represents a significant advancement from basic device management practices.

Let us understand how the whole process works in Scalefusion.

How it Works

There are two main entities here - Service Provider and Identity Provider. Any external identity that requires authorization to allow users to access its resources is a Service Provider. An identity provider is the one that manages the users and their passwords, authenticates them before they access a service offered by Service Provider and then add additional conditions to authorize the access.

In our case, Scalefusion becomes the Identity Provider and performs the authentication for users belonging to any external IdP which offers SAML based SSO. 

When a user logs into a SAML-enabled application (for eg. Gmail), it requests authorization from Scalefusion. Scalefusion's OneIdP authenticates the user, returns the authorization for the user to Scalefusion, and the user gets logged in to the application (Gmail).

There are a few configurations that need to be done both at the end of Identity Provider (Scalefusion) as well as Service Provider, which establishes a standardized communication between the two. This and further documents describe in detail all the steps to configure an application to make it SAML-enabled via Scalefusion.

Type of Applications

What type of applications can be configured under SSO Configurations? 

Any services/products that can support SAML can be configured and authenticated by Scalefusion's OneIdP with SSO Configuration. As of now, we support following:

1. Google Workspace: Any hosted Google application, such as Gmail, Google Calendar, or another Google service.
2. Any SAML V2.0 app
3. Rediffmail
4. Microsoft 365/Microsoft Entra: Microsoft applications like Outlook, OneDrive, Sharepoint, Teams etc.

Platforms

Scalefusion's SSO configurations can be applied on the following platforms: 

• Android
• Windows
• iOS
• macOS
• Linux

Pre-Requisites

1. Your account should have access to SSO Configurations
2. The devices enrolled with Scalefusion should be user based devices enrolled as: 
   1. BYOD (Bring Your Own Device)
   2. UAE (User Authenticated Enrollment)
   3. Shared COD (Shared Company Owned Devices)
3. OneIdP should be setup on Scalefusion Dashboard.
4. The Custom Domain for which you are authorizing, should be verified through OneIdP. 
5. Users belonging to custom domain should be imported/added to Scalefusion Dashboard and migrated to OneIdP.
6. Access to Service Providers' admin console

Steps

In a nutshell, following are the steps to be performed for implementing SAML based access:

1. Add and verify custom domain in OneIdP
2. Import Users (belonging to custom domain) to Scalefusion and migrate them to OneIdP. Users can be automatically migrated by enabling the setting Auto Migrate Users when users are imported from external Identity providers from OneIdP User Management Settings.
3. Configure Application on Scalefusion Dashboard from OneIdP > SSO Configurations
4. Configure SAML-based Sign-In settings on the Service Provider's console 
5. Assign users with the configuration from SSO Configuration

Note: In the next set of documents we will be describing how to create an SSO configuration on Scalefusion Dashboard for any SAML based application and how authentication happens on devices.

Terminology: On Scalefusion Dashboard side we call it SSO Configuration and on device the app is named as Authenticator