SAML based Single Sign On (SSO) in CRM portals - Overview

SAML based Single Sign On (SSO) in CRM portals - Overview

This document will provide a basic overview of SAML based Single Sign On (SSO).
For instructions on enabling it for your CRM's portal users, see: Configuring SAML-based SSO in CRM Portal
Supported editions
Glossary
Supported editions
  1. Enterprise
  2. Ultimate
  3. Bundles (CRMPlus and Zoho One)
  4. Trial: No
  5. Developer: No
  6. Sandbox: No
  7. Mobile: No

Glossary
  1. Authentication
    Authentication is the process of confirming a user's identity before providing access to a system. This is used to secure the system against impostors.
  2. SAML
    Security Assertion Markup Language (SAML) is a standard for communication that helps in authentication. It eases the exchange of authentication-related information between systems.
  3. SSO
    Single Sign On (SSO) is a method of authentication where a user needs to log in just once to access multiple apps and services. This improves user experience and security.
  4. IdP
    Identity provider (IdP) is a system that stores users' identities and authenticates them when they want to access an app or service. It helps improve the security of multiple systems by centralizing authentication and enabling SSO.
  5. SP
    Service provider (SP) is an app or service that a user wants to access.
  6. Issuer
    Issuer is the unique identifier of an IdP or SP. It helps ensure that the SAML requests and responses are being sent to the right place.
  7. ACS URL
    Assertion Consumer Service (ACS) URL is where the IdP sends SAML responses. SAML responses are messages from the IdP to the SP that confirm a user's identity.
  8. Default Relay State
    This is the URL where the user lands after login authentication in IdP.
  9. Single Logout (SLO) URL
    This is the URL where the IdP sends the logout request.
  10. Login URL
    This is the login URL for the IdP. If a user isn't logged in to the IdP, they will be redirected to this page when they try to access an app or service.
  11. Logout URL
    This is the logout URL for the IdP. When a user logs out of an app or service managed by the IdP, the log out request is sent here.
  12. Public Key/ Certificate
    Public keys are used by SP and IdP to verify the signature and encrypt (or decrypt) SAML messages.
  13. Algorithm
    This is the algorithm used to encrypt and decrypt messages sent between the IdP and the SP.

Admins can enable SAML-based SSO for portal users to ease the process of logging into the CRM portal

Let's say that a marketing agency uses the CRM's portal to engage with its clients and partners. The agency also provides them access to a project management tool and a design tool. To streamline access across these related apps, the agency implements SAML SSO for its portal users. Once enabled, the following happens:
  1. A client logs into the CRM portal to add some information related to a deal.
  2. Since SSO is enabled, when the client accesses the project management tool, they don't need to enter their credentials again. They are automatically logged in.
  3. The same applies for when they want to access the design tool to check a prototype. Logging into the CRM portal ensures that they can access these other apps without entering their credentials again.
  4. The same applies if the client had logged into the project management tool first. When they access the CRM portal, they are automatically logged in.

What is SAML-based SSO?

SAML-based Single Sign On (SSO) is a quicker way of authenticating users who work with multiple apps or services. It is commonly used by businesses where a central IT team manages employees' access to multiple tools. 

Without SSO, employees must log in to each app or service. They must remember multiple credentials or use the same one for multiple apps. This affects user experience and security, as a compromised app could expose other apps' credentials. In addition, it is difficult for the Central IT team to manage user access to multiple apps and enforce security policies.

With SSO enabled, the employee needs to log in just once to the IdP. Once logged in, they have access to all the apps or services linked to the IdP. The Central IT team can manage access using the IdP. Since IdPs are specialized for authentication, they tend to be more secure as well.

The user can access multiple apps and services because the IdP communicates the authentication to the SPs (apps and services the user wants to access). If the communication between the IdP and the SP is in the form of SAML messages, the SSO is called SAML-based SSO. The most common flow looks like this:
  1. User tries to access an app (SP).
  2. The SP asks the IdP to authenticate the user.

  3. The IdP authenticates the user. If the user is not logged in to the IdP, then the user is asked to do so.

  4. The IdP send a SAML assertion to the SP.

  5. The SP provides access to the user.
Some benefits of using the SAML-based SSO method of authentication are:
  1. Ease of remembering and managing login credentials
  2. Simplified login process for portal users
  3. Enhanced security due to centralized access control
  4. Reducing the risk of password-related vulnerabilities
  5. Ease of managing user access and permissions from a centralized identity management system
Next steps
For instructions on how to enable SAML-based SSO for your CRM portal, please see Configuring SAML-based SSO in CRM Portal.

See also
For learning more about setting up CRM portals, see: Setting up Portals and Inviting Users.