About Aurora Security Assertion Markup Language (SAML) Single Sign-On (SSO)
Single-Sign On (SSO) eliminates the need for users to provide their login credentials each time they sign in to different applications and services. With SSO, users can sign in once, and those same credentials can be reused to sign in to other applications or services. SAML enables Single-Sign On. Learn more about Khoros Single Sign-On.
Existing customers who want to upgrade to Aurora and port their existing SAML configuration may want to contact their Customer Success Manager or Account Executive. This process can be involved, and a Professional Services (PS) engagement can ensure a successful reconfiguration and help address any existing customizations such as user authentication workflows, custom user profile fields, and other customizations or integrations relying on user data.
About Khoros SAML SSO
Let’s begin by defining some terms in the context of the Khoros Aurora platform:
- IdP (Identity Provider): This is your SSO server. IdP is a server or service that provides the end-user identity authentication and SAML assertion. The IdP is owned and managed by you (the customer).
- SP (Service Provider): This is your Khoros community. SP is a software/service platform that consumes/processes the assertions SAML provides.
Security Assertion Markup Language (SAML) is an OASIS standard for passing single sign-on (SSO) authentication data from an identity provider to a service provider. This XML-based protocol uses security tokens containing assertions to pass information about an end user between the SAML Identity Provider (IdP) and SAML Service Provider (SP).
Here's an overview of the SAML SSO workflow:
SAML implements a secure method of passing user authentications and authorizations between the identity provider and service providers—in our case, your community.
When a user signs in to a SAML-enabled community, the community (the SP) requests authorization from the appropriate identity provider. The identity provider authenticates the community member’s credentials, then returns the authorization for the member to the community, and the member is signed in to the community.
Supported SAML 2.0 profiles
We support the following SSO profiles used to define the assertions, protocols, and bindings that support your integration:
- Web Browser SSO Profile, involving an identity provider (IdP), a service provider (SP), and a user employing an HTTP user agent (usually a web browser).
- Single Logout Profile in conjunction with the HTTP Redirect binding (no backchannel communication)
Khoros supports HTTP POST and HTTP Redirect SAML 2.0 bindings, which map SAML protocols to other messaging and communication protocols.
Supported flows
Khoros supports the following two flows for SAML:
- SP-initiated SAML
- IdP-initiated SAML
Read on to learn how community admins can configure SAML SSO for their community by themselves.
Related topics: