Versions Compared

Version Old Version 1 New Version 2
Changes made by

Thomas Clark

Thomas Clark

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel6
outlinefalse
stylenone
typelist
printabletrue

Introduction

Single Sign-On (SSO) is an authentication mechanism that allows users to log in once and gain access to multiple applications without needing to re-enter credentials. It enhances security by reducing password fatigue and minimising the risk of weak or reused passwords while improving user experience by streamlining access.

SSO is commonly implemented using protocols like SAML (Security Assertion Markup Language), where an Identity Provider (IDP) authenticates users and grants them access to various services.

Businesses and enterprises widely adopt SSO to simplify user management and enhance security in cloud and on-premise environments.

Glossary

IDP

Identity Provider

A system or service that authenticates users and provides identity information to other systems, enabling secure access to applications and resources.

SAML

Security Assertion Markup Language

An open standard for exchanging authentication and authorization data between an identity provider (IDP) and a service provider (SP), commonly used for enabling SSO.

SSO

Single Sign-On

An authentication process that allows a user to access multiple applications with a single set of login credentials, reducing the need for multiple passwords.

XML

Extensible Markup Language

A flexible, text-based format for structuring and storing data, widely used in web services, configuration files, and document exchange.

PAM SSO Support

In order to utilise SSO for logging into PAMOS, customers are required to integrate with PAM’s SSO

Implementation of SSO in PAM allows for the ‘Single Sign On (SSO)’ button to be used when logging into PAMOS.

image-20250210-012958.pngImage Added
image-20250210-013110.pngImage Added

Provide Information to PAM

SAML Metadata Configuration

Please choose whether you would like to provide your Identity Provider metadata as either a URL or by directly copying content from an .xml file.

Code Block
languagexml
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://saml.example.com/entityid" validUntil="2035-02-10T01:14:09.024Z">
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC4jCCAcoCCQC33wnybT5QZDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJV SzEPMA0GA1UECgwGQm94eUhRMRIwEAYDVQQDDAlNb2NrIFNBTUwwIBcNMjIwMjI4 MjE0NjM4WhgPMzAyMTA3MDEyMTQ2MzhaMDIxCzAJBgNVBAYTAlVLMQ8wDQYDVQQK DAZCb3h5SFExEjAQBgNVBAMMCU1vY2sgU0FNTDCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBALGfYettMsct1T6tVUwTudNJH5Pnb9GGnkXi9Zw/e6x45DD0 RuRONbFlJ2T4RjAE/uG+AjXxXQ8o2SZfb9+GgmCHuTJFNgHoZ1nFVXCmb/Hg8Hpd 4vOAGXndixaReOiq3EH5XvpMjMkJ3+8+9VYMzMZOjkgQtAqO36eAFFfNKX7dTj3V pwLkvz6/KFCq8OAwY+AUi4eZm5J57D31GzjHwfjH9WTeX0MyndmnNB1qV75qQR3b 2/W5sGHRv+9AarggJkF+ptUkXoLtVA51wcfYm6hILptpde5FQC8RWY1YrswBWAEZ NfyrR4JeSweElNHg4NVOs4TwGjOPwWGqzTfgTlECAwEAATANBgkqhkiG9w0BAQsF AAOCAQEAAYRlYflSXAWoZpFfwNiCQVE5d9zZ0DPzNdWhAybXcTyMf0z5mDf6FWBW 5Gyoi9u3EMEDnzLcJNkwJAAc39Apa4I2/tml+Jy29dk8bTyX6m93ngmCgdLh5Za4 khuU3AM3L63g7VexCuO7kwkjh/+LqdcIXsVGO6XDfu2QOs1Xpe9zIzLpwm/RNYeX UjbSj5ce/jekpAw7qyVVL4xOyh8AtUW1ek3wIw1MJvEgEPt0d16oshWJpoS1OT8L r/22SvYEo3EmSGdTVGgk3x3s+A0qWAqTcyjr7Q4s/GKYRFfomGwz0TZ4Iw1ZN99M m0eo2USlSRTVl7QHRTuiuSThHpLKQQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mocksaml.com/api/saml/sso"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mocksaml.com/api/saml/sso"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

https://mocksaml.com/api/saml/metadata

Email Attribute

Please confirm the SAML attribute within the Identity Provider Response that corresponds to user email (e.g. emailAddress or email)

email

Supported Email Domains

Please provide a comma-separated list of email domains that you wish to be supported (e.g. company1.com, company2.com, company3.com)

PAM Information Required

These are mock urls, actual values will be shared

saml entity id: urn:amazon:cognito:sp:\<yourUserPoolId\>
acs url: https://<yourDomainPrefix>.auth.region.amazoncognito.com/saml2/idpresponse

Guide: Google Workspace

External Guides

https://github.com/aws-samples/amazon-cognito-example-for-multi-tenant/blob/main/docs/GoogleInstructions.md