Security (Single Sign-On)

SAML 2.0 is the most recent iteration of the Security Assertion Markup Language as established by the OASIS organization. This standard facilitates the exchange of authentication and authorization information across different security domains.

SAML 2.0 operates as an XML-based protocol that utilizes security tokens with assertions to relay data about a principal (typically an end user) between a SAML authority (identity provider or IdP) and a SAML consumer (service provider or SP).

SAML Authentication Workflow

1. The user navigates to your Updraft subdomain and clicks the LOGIN with SSO button.

2. The user is then redirected to your Identity Provider (IdP) login page.

3. Using the IdP's web-based authentication system, the user logs in, and the IdP sends a SAML Response to the Updraft callback endpoint.

4. If the user is authenticated and has the necessary permissions in Updraft, they are granted access to the Updraft Organization where only authorized apps are visible.

   1. New Accounts in Updraft are created (no e-mail invitation or activation is sent)

   2. Owner or Admin is after the first login of the user able to add it to the Updraft projects

SAML Authentication Workflow Group Mapping

Sometimes, it’s very helpful to align SAML group names from your Identity Provider (IdP) with the actual group names in Updraft (Permission Groups). This step is optional and only required if your IdP doesn’t send the actual group name, but instead provides an ID associated with the group in the IdP. You can set up this group mapping in the settings for each SAML configuration provider, using key/value pairs. Map the Permission Groups you set in Updraft with the groups in your SAML configuration.

Updraft will automatically recognize new groups with each authentication and add user to the permission group in Updraft. After that you can assign the permission groups to your app projects.

This approach makes it possible to carry out almost all user management outside Updraft.