As SSO setup is key while starting the IGA Journey. This document provides an overview of the best practices while configuring the SSO to offer a seamless experience to the end users.
2023.3 & Later
Detail best practice
Customers often choose to integrate single IDP and multiple IDPs to achieve various use cases.
Before enabling SSO ensure all URLs (SP and IDP) are available and can be reached from Saviynt Servers. In order to not get locked out of environment if the SSO configuration is incorrect.
When using a singed certificate to sign the SAML communication ensure all certificates within the certificate chain are imported into the keystore.
Ensure a unique user attribute is used for the SAML subject and the correct NameIDFormat is specified. This will help avoid unwanted authentication errors.
Always keep EntityId unique across the environments. This will help avoid incorrect configuration mapping.
Always exchange the saml metadata files over a secure communication channel as it contains certificates and other sensitive information.
Single IDP Setup
Saviynt provides a default certificate with an expiration of up to 5 years. In order to sign saml request, Saviynt default certificate can be used.
Ensure the attribute configured in the user lookup property is unique in Saviynt to avoid login issues.
Ensure the Max authentication session configured is always equal to or greater than the IDP session timeout.
Ensure to have enough time buffer defined in the Response Skew by comparing the time difference between the Saviynt and IDP server
Ensure the user has at least an end-user sav role assigned so that the endusers don't run into access issues in Saviynt even if authentication/SSO is successful
The option to validate SAML assertion signature should be enabled (default is no). If not enabled, Saviynt will not validate the digital signature by IDP and this can lead to security vulnerability where message integrity can not be validated.
Multiple IDP Setup
Below are a few additional points that needed to be kept in mind for MultipleIDP setups while all the points stated in the single IDP setup are still applicable.
After enabling multiple IDP additional screen shows up where user has to make a selection. In case you want to provide some information to the user then the label on the screen can be updated
For multiple IDP lookup field option, the user attribute (custom property) with the idp name should be updated. The update of user attribute can be automated by making use of inline processing for Saviynt.
Be mindful that In case of both the username and IDP from the dropdown are selected, the dropdown always takes precedence.