The SelfHelpWorks admin website now allows clients to autonomously configure portals with SAML 2.0 single sign-on (SSO) authentication. Also included in this release is the addition of a certificate manager to the Tools section of the admin and support that enables single logout for SSO portals.
The admin website—among many other capabilities—allows clients to create and manage portals for their end-users. Part of the portal-creation process includes choosing the authentication type that allows end-users to access the SelfHelpWorks system. While SelfHelpWorks has long offered support for SAML 2.0 as a single sign-on option, configuration and management needed to be done by us. With this release, clients can assign and configure SAML 2.0 for portals by themselves with no assistance from SelfHelpWorks needed.
SAML 2.0 is a single sign-on (SSO) authentication, which means that end-users will be able to access the SelfHelpWorks system when they are logged into the client system. SSO provides end-users with a smooth, hassle-free experience while reducing redundant login flows for clients.
SAML 2.0 involves two parties: the Identity Provider (IdP) and the Service Provider (SP). Each of these parties provides certificates (the client provides the signing certificate as an X.509 file) which are used to ensure party-identity and establish security. The admin now includes a certificate manager in the Tools section; all certificates company-wide are listed in this space for organization and maintenance purposes, and new certificates can be created here. Details about the certificates are displayed along with options to delete or modify (for encryption certificates only).
Here is an example of a certificate listing:
For client convenience and security, the admin supports multiple signing and encryption certificates per portal. Allowing multiple certificates gives clients more management options, particularly in relation to the transition process from expired to new (valid) certificates.
As part of the SAML configuration tool, clients can enable single logout (SLO) on the portal level. At this time, SLO is IdP initiated; when it is enabled and configured, end-users who log out from the client system trigger a logout request to be sent from the IdP system to the SelfHelpWorks system. When the request is validated, the end-user is automatically logged out of the SelfHelpWorks system.
Enabling SLO is a security enhancement: When end-users access multiple sites through single sign-on (SSO), they are not prompted to login after their initial authentication. For this reason, it is common for users to lose track of all the sites they've accessed and abandon them without logging out, posing a potential security risk. In enabling SLO, end-users are automatically logged out of all SLO-enabled SP websites, thereby providing a security enhancement while giving the end-user a simple and more complete logout process.
The admin website continues to expand in capability, and clients can now configure portals with SAML 2.0 single sign-on authentication. The certificate management tool (and the per-portal support for multiple tickets) gives client admins the space to maintain organization at the company level. Support for SLO gives clients the option to increase security for SSO portals.