About Single Sign-On
Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains to exchange user authentication and authorisation data. Using SAML, an online service provider (SP) can contact a separate online identity provider (IdP) to authenticate users who are trying to access secure content. These accounts can access web-based applications like Surpass.
In this section
Using Single Sign-On for Surpass
Setting up a SAML-based Single Sign-On (SSO) solution offers many benefits, including the ability to:
- Control the authorisation and authentication of hosted user accounts.
- Improve your user’s experience by streamlining the login process, enabling them to access Surpass more efficiently.
- Reduce the amount of credentials your users need to access the applications they require, mitigating the risk of trying to remember a different set of credentials for each application.
Surpass can integrate with most services with a SAML output, and supports signed response with an encrypted (SHA-1) signed assertion by default. If you need a different level of signing in your assertion, contact your Surpass Account Manager.
SSO workflow
A successful Surpass (as service provider)-initiated login follows these steps:
- User navigates to the Surpass Login page.
- Surpass generates a SAML request.
- Surpass redirects the user to the configured identity provider (IdP).
- IdP reads the SAML request.
- User authenticates via the IdP.
- IdP sends SAML response to Surpass.
- Surpass parses response and authenticates user. If the user is new to Surpass, they are created in the system.
- User is successfully logged in.
The following workflow diagram details each step of the logging in process for a successful Surpass SSO integration:,
The Surpass Platform (SP)
The Surpass Platform acts as the online service provider (SP), which contacts a separate identity provider (IDP) to authenticate the user. Once the IdP has verified this account, the user is redirected back to Surpass logged in to the application.
If the user has never accessed Surpass before, the system creates a user with basic access and populates the necessary user fields in Surpass with the information stored in the Active Directory (AD) that was sent within the SAML request.
Identity Provider (IdP)
An identity provider (IdP) is any system that authenticates a user or device’s access to multiple applications using a single set of credentials. Surpass, as the service provider (SP), receives the user’s authentication details from the IdP and grants the user access to login.
Surpass supports authentication from the following IdPs:
- Active Directory Federation Services (ADFS)
- Azure Active Directory (Azure AD)
- Google Workspace
- Okta
A successful Surpass (as service provider)-initiated login with MFA enabled follows these steps:
- User navigates to the Surpass Login page.
- Surpass generates a SAML request.
- Surpass redirects the user to the configured third party.
- Third party redirects to the IdP.
- User authenticates via the IdP.
- IdP sends SAML response to third party.
- Third party facilitates MFA.
- Third party sends SAML response to Surpass.
- Surpass parses response and authenticates user. If the user is new to Surpass, they are created in the system.
- User is successfully logged in.
The following workflow diagram details each step of the logging in process for a successful Surpass SSO integration with MFA enabled:
Further reading
Now you know what Single Sign-On is, read the following articles to learn more: