About Single Sign-On

Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains to exchange user authentication and authorisation data. Using SAML, an online service provider (SP) can contact a separate online identity provider (IdP) to authenticate users who are trying to access secure content. These accounts can access web-based applications like Surpass.

TIP: Single Sign-On (SSO) is a suitable solution in cases where you require your users to regularly access multiple applications to complete their work.
In this section

Using Single Sign-On for Surpass

Setting up a SAML-based Single Sign-On (SSO) solution offers many benefits, including the ability to:

  • Control the authorisation and authentication of hosted user accounts.
  • Improve your user’s experience by streamlining the login process, enabling them to access Surpass more efficiently.
  • Reduce the amount of credentials your users need to access the applications they require, mitigating the risk of trying to remember a different set of credentials for each application.

Surpass can integrate with most services with a SAML output, and supports signed response with an encrypted (SHA-1) signed assertion by default. If you need a different level of signing in your assertion, contact your Surpass Customer Success Manager.

SSO workflow

A successful Surpass (as service provider)-initiated login follows these steps:

  1. User navigates to the Surpass Login page.
  2. Surpass generates a SAML request.
  3. Surpass redirects the user to the configured identity provider (IdP).
  4. IdP reads the SAML request.
  5. User authenticates via the IdP.
  6. IdP sends SAML response to Surpass.
  7. Surpass parses response and authenticates user. If the user is new to Surpass, they are created in the system.
  8. User is successfully logged in.

The following workflow diagram details each step of the logging in process for a successful Surpass SSO integration:,

The Surpass Platform (SP)

The Surpass Platform acts as the online service provider (SP), which contacts a separate identity provider (IDP) to authenticate the user. Once the IdP has verified this account, the user is redirected back to Surpass logged in to the application.

If the user has never accessed Surpass before, the system creates a user with basic access and populates the necessary user fields in Surpass with the information stored in the Active Directory (AD) that was sent within the SAML request.

NOTE: Surpass SecureMarker cannot be accessed using SSO.

Identity Provider (IdP)

An identity provider (IdP) is any system that authenticates a user or device’s access to multiple applications using a single set of credentials. Surpass, as the service provider (SP), receives the user’s authentication details from the IdP and grants the user access to login.

Surpass supports authentication from the following IdPs:

  • Active Directory Federation Services (ADFS)
  • Microsoft Entra ID
  • Google Workspace
  • Okta
NOTE: Multi-Factor Authentication (MFA) can be enabled for a Surpass SSO integration, however, this is set up via the IdP rather than the Surpass Platform.

Further reading

Now you know what Single Sign-On is, read the following articles to learn more:

NOTE: This form is to provide feedback to help improve the Surpass Help documentation only. If you need live support, contact support@surpass.com.