Skip to content

Regarding the Use of SAML Authentication

This feature is a paid option. For inquiries about option contracts and cost estimates, please contact us via the inquiry form in the management console.

SAML

What is SAML Authentication?

SAML (Security Assertion Markup Language) authentication is an XML-based standard protocol for securely exchanging user authentication information across different domains. This enables users to perform Single Sign-On (SSO) to Service Providers (SP) by authenticating only once with a single service, called the Identity Provider (IdP), when logging into multiple services.

For example, this is the mechanism that allows a user to automatically log into Customers Mail Cloud after successfully logging into HENNGE Access Control.

Customers Mail Cloud and CMC Domain Protection provide Single Sign-On using the IdP-Initiated access method.
※Currently, the SP-Initiated access method is not supported.

Available Identity Providers (IdP)

The following Identity Providers (IdP) have currently been verified for integration (IdP-Initiated SSO):
・HENNGE ONE(HENNGE Access Control)
・Microsoft Entra ID(formerly Azure AD)
・Google Workspace(Google Cloud Identity)

If you wish to use other IdPs, we ask that customers handle the implementation and verification themselves.
*Please refer to the Settings section for detailed specifications.

SAML Authentication: Components and Flow

SAML authentication is comprised of the following three main components:

  • IdP (Identity Provider): This is the service that manages the user's authentication information. Once a user logs in with the IdP, it provides authentication information (an Assertion) to the SP.
    Examples: HENNGE ONE, Microsoft Entra ID, Google Workspace (Google Cloud Identity), OneLogin
  • SP (Service Provider): This is the service (application) that the user wants to access. It validates the Assertion sent from the IdP and grants the user access to the service.
    Examples: Customers Mail Cloud, CMC Domain Protection, Slack, Zoom
  • User Agent: This is the web browser (e.g., Google Chrome, Microsoft Edge) used by the user.

Authentication Flow

This section explains the flow of IdP-Initiated SSO supported by Customers Mail Cloud and CMC Domain Protection. We will use HENNGE Access Control as the IdP and Customers Mail Cloud as the SP for this explanation.

  1. User Logs in to the IdP
    The user accesses the IdP's portal site and logs in by entering their credentials, such as ID and password.

  2. IdP Generates a SAML Assertion
    Upon successful authentication, the IdP generates a SAML Assertion containing the user's information. This Assertion includes the necessary data for the SP to identify the user (e.g., username, email address).

  3. User Selects the SP
    The user, now logged into the IdP, views a dashboard or screen that displays a list of integrated SPs.
    The user clicks on the icon or link for the desired SP.
    Please refer to the Single Sign-On configuration Manual for the procedure to add Customers Mail Cloud as an SP on the IdP side.

  4. IdP Sends a SAML Response
    When the user selects the SP, the IdP sends a SAML Response (containing the generated SAML Assertion) to the user's browser.

  5. Browser Redirects to the SP
    The user's browser automatically sends this SAML Response to the SP's ACS (Assertion Consumer Service) URL using the HTTP POST method.

  6. SP Validates the SAML Response
    The SP receives the SAML Response and Assertion and performs validation. This involves checking the Assertion's digital signature to ensure it is from a trusted IdP.

  7. SP Authenticates the User
    Upon successful validation, the SP logs the user into the service using the user information contained within the Assertion.

SP Configuration Items

To enable SAML authentication on the SP side, you mainly need to share and configure the following information with the IdP:

  • Entity ID: A URI that uniquely identifies the SP.
  • Assertion Consumer Service URL (ACS URL): The SP's endpoint URL for receiving the Assertion sent from the IdP.
  • Public Certificate: Used to verify the signature of the Assertion. The Public Certificate received from the IdP must be registered with the SP.

Please refer to the SAML Settings manual for details on setup and verification methods.