SurePassID SAML Integration with Secret Server
Third-party vendors create and maintain this integration. Delinea does not guarantee that the integration will work properly or that it respects Delinea product limitations. Delinea has not reviewed this integration and Delinea Support staff can only assist with the Delinea side of setup.
With the integration, when a user attempts to access Secret Server, they will be redirected to the SurePassID IdP for authentication. The user will enter their credentials (e.g., username and password) in SurePassID. After successful authentication, SurePassID generates a SAML assertion, which contains information about the user and their authentication status. After successful authentication, SurePassID generates a SAML assertion, which contains information about the user and their authentication status.
Sometimes SAML validates despite having an expired IDP Certificate. This is because the SAML certificate exchange is actually a key exchange—the SAML protocol uses the public/private keys contained within the certificate to secure the communication. Unlike a website's certificate, it is not the URL or metadata within the certificate that is used to help secure the connection, only the key exchange. If the certificate provided by the IDP has been renewed but still works without a change in Secret Server, it means the key is identical, and only the metadata, such as the expiration date, has changed. This is why it does not fail validation—the key is for validation and it has not changed. Had the key changed, Secret Server would not be able to decrypt the SAML messages, and would therefore fail. Delinea does not view this as a security problem and offers this note for clarification.
Based on the user's attributes in the SAML assertion (e.g., group membership), Secret Server can determine the user's access rights and privileges, granting appropriate access to privileged credentials and resources. During the session, Secret Server can securely retrieve the required privileged credentials on behalf of the user and provide access to the resources they are authorized to access.
To learn more about this 3rd-party integration, click here.
