Federation
Federated identity management is a method for using a single user identity in multiple different identity management systems. In Delinea Platform, Federation enables users to log on using credentials from a trusted third-party federated identity provider (IdP). When a user initiates login, the platform checks the domain name of the user ID. If the domain is configured for an external federated IdP, the login data is passed to that provider, and the user is authenticated and logged in.
The Delinea Platform currently supports two authentication protocols:
-
Open ID Connect (OIDC)
-
Security Assertion Markup Language (SAML)
You do not need to configure both OIDC and SAML applications for your integration. Depending on your organization's infrastructure and preferences, you can choose either OIDC or SAML.
Multiple federated identity providers can be configured on the platform, based on your specific needs and the supported protocols by the identity provider (IDP).
Platform Federation Integrations
The Delinea Delinea Platform integrates with numerous Single Sign-On (SSO) identity providers. The configuration articles below cover some of the most common ones. If your preferred IdP isn't listed, for example DUO, you can still configure it using your official IdP provider documentation and the information provided here.
Supported SSO Approaches
SSO simplifies user access across multiple applications with a unified login. The Delinea Platform supports two approaches:
-
SP-initiated SSO
-
IdP-initiated SSO
Each approach serves specific organizational needs and identity and access management (IAM) architectures.
Feature | SP-initiated SSO | IdP-initiated SSO |
---|---|---|
Initiation of authentication flow | Service provider | Identity provider (IdP) |
User logs in to | Delinea Platform | IdP portal, such as MyApps for Microsoft |
User experience | User is redirected from the Delinea Platform to the IdP for authentication; when granted, the user is returned to the platform | User selects the Delinea Platform from among the apps on the IdP site |
Organizational needs | Environments where customers are offered direct access to the Delinea Platform | Environments where multiple applications are offered |
SP-Initiated SSO
SP-Initiated SSO starts the initiation of the authentication flow at the Service Provider (SP). In this scenario, a user's interaction with the Delinea Platform (SP) triggers the need for authentication.
The diagram below depicts the sequence of actions in SP-initiated SSO at a high level. The specific steps of these flows may vary depending on the chosen SSO protocol, such as SAML or OpenID Connect.
-
The user starts by accessing the Delinea Platform (SP in this case).
-
The platform redirects the user to the Identity Provider (IdP) for authentication.
-
The user authenticates at the IdP.
-
The IdP creates an authentication response.
-
This response is then transmitted from the IdP to the platform.
-
The Delinea Platform validates the response and grants the user access.
IDP-Initiated SSO
IDP-Initiated SSO follows a different initiation model. Here, the authentication flow starts at the Identity Provider (IdP). Users typically log in at the IdP's portal, such as MyApps for Microsoft, where they are authenticated. After successful authentication, the IdP provides the user with a list of available applications they can access without needing to re-enter their credentials.
The diagram below depicts the sequence of actions in IdP-initiated SSO at a high level. The specific steps of these flows may vary depending on the chosen SSO protocol and technology, such as SAML or OpenID Connect.
-
The user starts by accessing the IdP's portal.
-
The user authenticates at the IdP.
-
The IdP generates an authentication response.
-
The IdP presents a list of applications (Delinea Platform is one of them).
-
The user selects the Delinea Platform application.
-
The IdP sends the response to the selected Service Provider (SP).
-
The platform validates the response and then grants the user access to log in.