 You may have heard that SAML is an outdated technology and that you should be using something. While it may be true that SAML is older technology, it is still used by lots of companies and it's very important for you to learn how it works. So watch this video to learn how SAML authentication works. Hi, my name is Will and I'm a developer advocate here at Off-Zero and in today's video we're going to talk about how SAML authentication works and then I'm going to show you how easy it is to set up a SAML connection using Off-Zero. But first, let's talk about what is SAML? Before I get into the tech jargon, let's start by painting a picture of a scenario to show you what SAML is and why it's beneficial. So let's say you just started working at a new company. Let's call that new company, Wezova. You have a work email address and also access to a dashboard. The dashboard has icons for all the other services that you can log into like Expensify, Salesforce, Jira, AWS Services and more. So then you click on the Salesforce icon, some magic happens, and then you're logged into Salesforce without having to enter your username or your password. That magic that happens is SAML. So let's talk about what's going on here. SAML stands for Security Assertion Markup Language. It's an XML based open standard for transferring identity data between two parties. The two parties being an identity provider and a service provider. The identity provider forms the authentication and passes the user's identity and authorization level to the service provider. The security provider trusts the identity provider and then authorizes the given user access to the requested resource. In the Wezova example, that identity provider would be off zero and the service provider in this scenario would be Salesforce. The Wezova employee logs onto the Wezova dashboard without zero. They click on the Salesforce icon and then Salesforce recognizes that that user wants to log in via SAML. And SAML sends that employee to off zero with a SAML request that asks off zero to authenticate this user. Since the employee is already authenticated without zero, off zero verifies the session and then the sends the user back to Salesforce with the SAML response. Salesforce will check the response and if everything looks good, the employee will be granted access. Now that you're familiar with the scenario that SAML will be used in, next let's talk about the benefits of using SAML. SAML offers an improved user experience. Users only have to log in one time and be able to get access to multiple service providers. This creates a faster authentication experience and less of a user to remember a bunch of different passwords over a bunch of different applications. I don't know about you, but I have way too many passwords to remember. In the case of the was over dashboard, you could have clicked any of the other logos on that dashboard and been able to log in without entering your credential. SAML also offers increased security. SAML gives you a single point of authentication that happens with a secure identity provider. SAML transfers the identity information to the service providers. This ensures that the credentials are only sent to the identity provider directly. It loosens the coupling of directories. SAML does require that the user information is maintained and synced between different directories. It also offers reduced costs for service providers. With SAML, you don't have to maintain account information across multiple different services. The identity provider is the one who bears this burden. Now that you've seen a high level overview of how SAML works, let's dig into the nitty gritty to see the technical details of how everything is accomplished. SAML, single sign on authentication, typically involves a service provider and an identity provider. The process flow usually involves the trust establishment and authentication flow stages. Let's consider another example. Let's say that our identity provider is off zero and our service provider is a fictional service called Zagadat. And our user is trying to gain access to Zagadat using SAML authentication. This is the process flow. The user tries to log in to Zagadat from a browser. Zagadat responds by generating a SAML request. The browser redirects the user to a single sign-in URL that will be provided by off zero in this example. Off zero will parse the SAML request and authenticate the user. This could be with a username or a password or even a social login. If the user is already authenticated with off zero, then this step will actually be skipped. Once the user is authenticated, then off zero will generate a SAML response. Off zero then returns the encoded SAML response to the browser. Then the browser sends the SAML response to Zagadat for verification. If the verification is successful, the user will be logged into Zagadat and will be given access to the resources that they are allowed to view and or modify. Let's look at a SAML request and response and highlight some of the information contained in it. ID is a newly generated number for identification. Issue instant is a timestamp to indicate when it was generated. Assertion consumer service URL. That's the SAML URL interface of the service provider. This is where the identity provider sends the authentication token. Issuer is the identity ID or unique identifier of the service provider. In response to, holds the ID of the SAML request that this response belongs to and recipe, which is the entity ID or unique identifier of the service provider. If you want to learn more about how SAML came to be, what's its status now and what the future of SAML may look like from a panel of experts, I'd highly recommend that you check out the latest episode of the Identity Unlocked Podcast. In that episode, I'll be talking about the past, present and future of SAML. The link for that will be in the description. Alright, so once you're logged into your off-zero account, go to Applications, SSO integrations. Wait for that to load. Then we'll click Create SSO integrations. So here you have a list of all the single sign-in integrations you can use. And to make it fast, I'm just going to search send desk. And then it'll ask you for your permissions. Make sure that you hit Continue. And then, you know, you have the name Zendesk for the integration. And then you want your Zendesk account name. The account name will usually be the first segment of your Zendesk URL. So it'll be accountname.zendesk. So if I head over to my Zendesk account that I have set up for this example, the account name is Test2912. So we'll copy that and I'll paste that here. And then you have a screen that'll give you a tutorial on how to configure everything on Zendesk. Now we'll head over to Zendesk. I will go down to Settings, and then it will go to the Admin Center. When the Admin Center is open, I will go to Account, and then Security here, and then Single Sign-On. As you can see, I already have an off-zero SAML Single Sign-On connection configured, but I'm going to create a new one just for the sake of this demo. So we're going to go create SSO configuration, click on SAML, and then you put the configuration name. For here, I'm going to put off-zero. Then you put the SAML Single Sign-On URL, the certificate fingerprint, and the remote logout URL. All of these values you can get on off-zero site, and it'll be right here in the tutorial. So here's your SAML SSO URL. Copy and paste that, the certificate fingerprint, copy and paste that, and the remote logout URL. Just copy and paste that. So once you put those values in, you can hit Save. I'm not going to save them since I already have one configured, so I'm going to hit Cancel. One thing that's important on the off-zero site is that in the remote logout URL, there is a return to parameter. So this parameter must be set as an allow logout URL in the Advanced tab of your tenant settings. So for this, this is HTTPS, and then Test2912 at Zendex.com. Then you can click the tenant settings, and it would actually take you to the Advanced settings so you can set that URL. And as you see, I already have mine saved right here. So make sure you copy and paste that there. Okay, now once you have it saved on Zendex, it's not automatically configured. So the next thing that you need to do is on the Security tab again in the Admin Center, is go to Team Member Authentication or End User Authentication. So you can set up the single sign-on for Team Members or for Users. So I'm going to click on Team Member Authentication, click on External Authentication, then I'm going to click on Single Sign-On, then I'm going to click on Off-Zero, and click Save. Then I'm also going to click on End User Authentication, then click on External Authentication, and set that to Off-Zero as well. So what this will do now is when we head to our Zendex URL, we will actually be redirected to Off-Zero to be able to handle the login. If the user is already authenticated with Off-Zero, then they'll be able to be logged in. All right, so the first thing I'm going to do is I'm going to close the Admin Center, then I'm going to click on my profile and actually sign out of Zendex. So as you can see, when I sign out of Zendex, it actually redirects me to Off-Zero and Off-Zero's Universal Login for me to actually log in to the account. For this, I'm going to log in with Google and boom, I am logged in to Zendex. As you see, we were able to configure Zendex as a single sign-in, as a service provider using Off-Zero as the identity provider to be able to sign in to Zendex without actually having to sign in to Zendex itself. As I said before, Off-Zero is adaptable when it comes to configuring SAML, and here are some of the other things that you can do. You can configure Off-Zero as a service provider for SAML Federation. You can have SAML configurations for SSO integrations like Google Apps, Datadog, Cisco WebEx, and more. You can configure Off-Zero to use other identity providers, like OneLogin, Salesforce, or SiteMinder. And you can configure Off-Zero to be the identity provider as well as the service provider for SSO, or single sign-in. So, in conclusion, you learned how SAML works, why it's beneficial, and how you can integrate a SAML SSO connection with Zendex using Off-Zero. Thank you so much for watching this video. If you have any questions, please don't hesitate to leave a comment and let us know what else that you want to see. Until next time.