Federation

Federated identity management is a method for using a single user identity in multiple different identity management systems. In Delinea Platform, Federation enables users to log on using credentials from a trusted third-party federated identity provider (IdP). When a user initiates login, the platform checks the domain name of the user ID. If the domain is configured for an external federated IdP, the login data is passed to that provider, and the user is authenticated and logged in.

The Delinea Platform currently supports two authentication protocols:

• Open ID Connect (OIDC)

• Security Assertion Markup Language (SAML)

You do not need to configure both OIDC and SAML applications for your integration. Depending on your organization's infrastructure and preferences, you can choose either OIDC or SAML.

Multiple federated identity providers can be configured on the platform, based on your specific needs and the supported protocols by the identity provider (IDP).

Platform Federation Integrations

The Delinea Delinea Platform integrates with numerous Single Sign-On (SSO) identity providers. The configuration articles below cover some of the most common ones. If your preferred IdP isn't listed, for example DUO, you can still configure it using your official IdP provider documentation and the information provided here.

• Integrating AD FS

• Integrating Auth0

• Integrating BlokSec

• Integrating Celestix

• Integrating Entra ID

• Integrating Entrust

• Integrating Google

• Integrating Okta

• Integrating OneLogin

• Integrating Ping Identity

• Integrating RSA

Instead of using Integrating Entra ID federation, you can use Entra ID as a Registered App (native integration). See API-Based Integration with Entra ID. But you cannot use both Entra ID features simultaneously with the same domains.

Supported SSO Approaches

SSO simplifies user access across multiple applications with a unified login. The Delinea Platform supports two approaches:

• SP-initiated SSO

• IdP-initiated SSO

Each approach serves specific organizational needs and identity and access management (IAM) architectures.

Feature	SP-initiated SSO	IdP-initiated SSO
Initiation of authentication flow	Service provider	Identity provider (IdP)
User logs in to	Delinea Platform	IdP portal, such as MyApps for Microsoft
User experience	User is redirected from the Delinea Platform to the IdP for authentication; when granted, the user is returned to the platform	User selects the Delinea Platform from among the apps on the IdP site
Organizational needs	Environments where customers are offered direct access to the Delinea Platform	Environments where multiple applications are offered

SP-Initiated SSO

SP-Initiated SSO starts the initiation of the authentication flow at the Service Provider (SP). In this scenario, a user's interaction with the Delinea Platform (SP) triggers the need for authentication.

The diagram below depicts the sequence of actions in SP-initiated SSO at a high level. The specific steps of these flows may vary depending on the chosen SSO protocol, such as SAML or OpenID Connect.

1. The user starts by accessing the Delinea Platform (SP in this case).

2. The platform redirects the user to the Identity Provider (IdP) for authentication.

3. The user authenticates at the IdP.

4. The IdP creates an authentication response.

5. This response is then transmitted from the IdP to the platform.

6. The Delinea Platform validates the response and grants the user access.

IDP-Initiated SSO

IDP-Initiated SSO follows a different initiation model. Here, the authentication flow starts at the Identity Provider (IdP). Users typically log in at the IdP's portal, such as MyApps for Microsoft, where they are authenticated. After successful authentication, the IdP provides the user with a list of available applications they can access without needing to re-enter their credentials.

The diagram below depicts the sequence of actions in IdP-initiated SSO at a high level. The specific steps of these flows may vary depending on the chosen SSO protocol and technology, such as SAML or OpenID Connect.

1. The user starts by accessing the IdP's portal.

2. The user authenticates at the IdP.

3. The IdP generates an authentication response.

4. The IdP presents a list of applications (Delinea Platform is one of them).

5. The user selects the Delinea Platform application.

6. The IdP sends the response to the selected Service Provider (SP).

7. The platform validates the response and then grants the user access to log in.

Federation Management

Troubleshooting Federated Group Mapping