Connect client applications using SAML

When connecting your client application to 10Duke Enterprise, Security Assertion Markup Language (SAML) allows your client to use 10Duke Enterprise for user authentication.

When your client application is connected to 10Duke Enterprise with SAML, you’re ready for single sign-on (SSO), federation, social login, and multifactor authentication (MFA) in a similar manner as with OpenID Connect (OIDC).

However, SAML is not used for API authorization. If your client application needs to call 10Duke APIs, you need to connect your client application using OIDC.

In SAML terms, your client application is referred to as the Service Provider (SP), and 10Duke Enterprise is the Identity Provider (IdP). Your SP authenticates with the IdP using the SAML 2.0 Web Browser SSO Profile (SP-initiated).

Here are some key SAML terms and how they map to 10Duke Enterprise terms:

SAML term 10Duke Enterprise term
Identity Provider 10Duke Enterprise
Service Provider Your client application
Single sign-on (SSO) service 10Duke Enterprise endpoint for authentication requests
Assertion consumer service (ACS) Your client application’s endpoint for receiving the authentication response from 10Duke Enterprise
HTTP redirect binding Sending SAML messages (authentication requests and responses) in HTTP GET request query parameters
HTTP POST binding Sending SAML messages (authentication requests and responses) in HTTP POST request form parameters

API endpoints

Item URL (relative, prepend the environment base URL)
Authentication endpoint (SSO service) /user/saml20/signon
Single logout /user/saml20/signout

SAML Identity Provider metadata document

10Duke Enterprise provides a SAML Identity Provider metadata document, which contains information that you need when implementing the connection to 10Duke Enterprise in your client application, including the public key required for verifying the signatures of messages and assertions issued by 10Duke Enterprise.

The document is available at https://<your 10Duke Enterprise instance>/user/saml20/idp-metadata.

Authentication process with SAML

When authenticating with SAML, your client application (SP) never communicates directly with 10Duke Enterprise (IdP). All messages are passed through the web browser used by the end user.

Your client application starts the authentication by using the browser to navigate to the 10Duke Enterprise SAML authentication endpoint, sending a SAML authentication request in the URL query parameters. In SAML terms, here your SP sends an authentication request (AuthnRequest) to the IdP using SAML HTTP redirect binding.

When authentication has been completed, 10Duke Enterprise sends a response back to your client, submitting a POST request with a SAML response in the form parameters. In SAML terms, here the IdP sends an authentication response (Response) to the SP using SAML HTTP POST binding.