How to support Single Sign On (SSO) using SAML.
Table of Contents
Purpose
SAML is a standard used by organizations to exchange authentication data between systems. Its primary role in online security is that it enables you to access multiple web applications using one set of login credentials. It works by passing authentication information in a particular format between two parties, usually an identity provider (idP) and a web application.
SAML SP Initiated SSO Flow
Why is it Beneficial?
Enhances Security with SSO & 2FA
The primary benefit of SSO and 2FA is that it provides additional security layers and decreases the chance of consumer identities becoming compromised.
Improves User Experience
From a user perspective, SAML improves the overall experience as users are no longer required to identify themselves for each service, website or applications they have access to.
Provides Easier Termination
Termination can be easily done by deleting a single instance instead of a multiple across several services or environments.
Configuration
Booxi can enable SAML in three simple steps:
- Our clients send us a link to the SAML Metadata of their Authentication system along with access to a test account.
- SAML configuration is performed by Booxi.
- We elaborate a deployment plan with our clients based on their requirements.
FAQ
- Does Booxi SAML Integration support multi domain?
- Multi-domain support is possible as long as a client’s IDP supports it.
- What are the prerequisites for multi-domain support in Booxi?
- A user (unique user) can only be associated with 1 IDP.
- A merchant (unique business) can only be associated with 1 IDP.
- The list of email domains (CSV format) is limited to 384 characters. (i.e. “@gmail.com,@mybusiness.com” = 26 characters)
- How can a user from a different domain be added?
- Such an addition requires modification to a merchant’s database. Only highly privileged users can perform such modifications. Please consult with your Booxi contact.
- Is it possible to support multi-domain after a customer went live with SAML?
- Yes, it is possible.
- Are SAML and non-SAML users allowed for the same merchant?
- Yes it is possible but we highly suggest against doing so as it defeats the purpose of SAML and increases risks of security breaches.
- How is it possible to restrict SAML access to store owned devices only?
- Booxi can’t take any action to restrict access but a client’s IDP can. Okta, among other solutions, provides ways to achieve that goal.
- How are user created/deleted in a SAML environment?
- Users are managed as they would be in any other environment, their access being granted or revoked. As long as a merchant has an associated IDP, staff will be using that IDP by default. A user needs to be created at the IDP level as well as on Booxi. To delete a user, its access should be removed at the IDP and Booxi level as well.
- What is the involvement of Booxi when an employee’s access is removed?
- Booxi isn’t involved in that process.
- A client’s IT team, managing the IDP, should be involved in the departure of an employee. It should result in that employee’s access being revoked, preventing that user from connecting to Booxi. Its corresponding user in Booxi should be deleted to release its user license.
Special Cases & Limitations
- If a user already accessed Booxi prior to SAML, using their personal email address (e.g.: @gmail.com), Booxi will be required to match users manually which will result in a longer deployment.
- When migrating existing users, they will receive emails with a request to login, after which their previous password will no longer be usable.
For further details about SAML and its integration to Booxi, please consult your Booxi representative.