Introduction

This document describes how to enable support for federated authentication using SAML in a Snow License Manager environment.

Snow’s federated authentication component supports the Security Assertion Markup Language (SAML) v2.0 standard for web-based authentication between security domains. The component supports the Service Provider (SP) initiated Single sign-on (SSO) and Single log-out (SLO).

Snow License Manager website will act as the Service Provider when the federated authentication is enabled. This supports a Single sign-on flow initiated by the Service Provider:

  1. The user browses to the Snow License Manager web user interface.

  2. An authentication request is sent to the Identity Provider.

  3. The user is automatically redirected to the Identity Provider login service.

  4. The user is authenticated and a SAML response is sent to Snow License Manager web user interface.

  5. The user is logged in.

For more detailed information about the SAML v2.0, see the specification at https://www.oasis-open.org/.

For Enterprise Edition installations of Snow License Manager, there is only a single logical tenant, although this tenant may comprise of multiple legal entities, company fractions, subsidiaries, business units, etc.

For Service Provider Edition installations of Snow License Manager, multiple customers want to access the same Snow License Manager website but are only given access to their assigned tenant within the solution. To implement SSO when each customer has their own SAML Identity Provider solution for their users, a central SAML Identity Provider instance has to be added to act as a gateway. To implement SSO on a Service Provider Edition platform, the partner needs to integrate each customer Identity Provider (AzureAD, OKTA, Ping etc) with their own Identity Provider. Then, the Partner's Identity provider can be integrated with Snow License Manager in a generic way as described below.