SurePassID SAML Integration with Secret Server
Third-party vendors create and maintain this integration. Delinea does not guarantee that the integration will work properly or that it respects Delinea product limitations. Delinea has not reviewed this integration and Delinea Support staff can only assist with the Delinea side of setup.
With the integration, when a user attempts to access Secret Server, they will be redirected to the SurePassID IdP for authentication. The user will enter their credentials (for example, username and password) in SurePassID. After successful authentication, SurePassID generates a SAML assertion, which contains information about the user and their authentication status. After successful authentication, SurePassID generates a SAML assertion, which contains information about the user and their authentication status.
Sometimes SAML validates despite having an expired IDP Certificate. This is because the SAML certificate exchange is actually a key exchange—the SAML protocol uses the public/private keys contained within the certificate to secure the communication. Unlike a website's certificate, it is not the URL or metadata within the certificate that is used to help secure the connection, only the key exchange. If the certificate provided by the IDP has been renewed but still works without a change in Secret Server, it means the key is identical, and only the metadata, such as the expiration date, has changed. This is why it does not fail validation—the key is for validation and it has not changed. Had the key changed, Secret Server would not be able to decrypt the SAML messages, and would therefore fail. Delinea does not view this as a security problem and offers this note for clarification.
Based on the user's attributes in the SAML assertion (for example, group membership), Secret Server can determine the user's access rights and privileges, granting appropriate access to privileged credentials and resources. During the session, Secret Server can securely retrieve the required privileged credentials on behalf of the user and provide access to the resources they are authorized to access.
This integration works only with Secret Server Cloud and is not compatible with the Delinea Platform (Secret Server on the Delinea Platform).
This third-party integration does not natively support the Delinea Platform (Secret Server on the Delinea Platform). Once upgraded to the Delinea Platform, the integration will continue to function properly as long as the application account used for the integration remains in Secret Server. Once fully upgraded to the Platform service account model, the existing integration will no longer work with Secret Server on the Delinea Platform as all identity data will be moved to the Delinea Platform and will no longer be maintained in Secret Server.
To learn more about this third-party integration, see the SurePassID website.
