Single sign-on support and launchpad
When acting as an IdP, Bravura Security Fabric is able to support single sign-on (SSO) authentication across multiple service providers. SSO authentication enables a user to log into multiple SPs without having to re-enter their credentials, if they already meet the authentication criteria for these services. By reducing the number of credential inputs required from users, single sign-on authentication reduces password fatigue while mitigating the risks of transmitting credential information to third-party services.
An application launch-pad and single sign-on policy are included and expand on the included IdP to maximize user login convenience. When this is enabled, users sign into Bravura Security Fabric and then click an icon to sign into other applications, where sessions are initiated in a new browser tab.
Single sign-on
Single sign-on support is enabled by default when Scenario.hid_saml_idp is first installed. When a user completes a federated login through SAML their SSO session information is recorded in the IDP_SESSION and IDP_SESSINFO database tables, tracking session validity as well as the authentication chains the user has successfully completed. A user is granted immediate access to an SP if their SSO session already meets the new SP’s authentication chain requirements.
Available configuration options for single sign-on include:
When configuring the
fedidp-assertauthentication chain module, set Single sign-on mode to one of ”Enable”, ”Disable”, or ”Prompt” to configure when SSO session information should be stored following successful log-in.When configuring the
fedidp-cschain selection module, modify Allow plugin to skip chain selection to enable or disable whether the plugin can skip authentication chain steps for already-authenticated users.
Single sign-on launchpad
The SAML component provides a graphical interface from which users can launch commonly used services. When the SAML component is installed, a new Customize applications link appears on Front-end for users with access to at least one SP. Clicking this link will direct users to the Application Launchpad, which displays a set of graphical buttons for each service provider available to the user. Clicking these buttons will launch the selected SP in a new browser tab, and the user will be automatically authenticated to that service.
Clicking the circular icon beside any of these service provider buttons will pin it to Front-end , allowing the user to launch the selected service directly from their home page.
The Application launchpad will only display the button for a service provider if it is enabled, and the user is authorized to connect to it. Availability of service providers can be configured in the sp_mapping and sp_access tables in Manage external data store (DBE) module. Each service provider on the launchpad is identified by an icon image. This icon is an 80x80px PNG-format image named icon.png stored in the sp_folder directory for that service provider, and is used automatically for that SP if the image is available.