SAML2 Overview

Suggest an edit

What is SAML 2.0?#

1 Security Assertion Markup Language#

SAML 2.0 (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties. It enables Single Sign-On (SSO), allowing users to authenticate once and access multiple services.

A SAML flow involves two parties:

Party Role
Identity Provider (IdP) Authenticates users and issues assertions
Service Provider (SP) Trusts the IdP and grants access based on assertions

2 How SAML Authentication Works#

  1. User attempts to access a Service Provider (e.g., AWS Console)
  2. Service Provider redirects to the Identity Provider
  3. Identity Provider authenticates the user
  4. Identity Provider sends a signed assertion back to the Service Provider
  5. Service Provider validates the assertion and grants access

SplitSecure as Your Identity Provider#

1 Threshold-Protected Authentication#

SplitSecure acts as a SAML 2.0 Identity Provider with a critical difference: authentication requires threshold approval from your team.

Traditional IdP SplitSecure IdP
Single admin controls access Team threshold controls access
One compromised account = breach No single point of failure
Limited audit trail Full approval audit trail

2 How It Works#

When you authenticate through SplitSecure:

  1. You initiate login to a Service Provider
  2. SplitSecure creates an authentication proposal
  3. Team members approve on their mobile devices
  4. Once threshold is reached, SplitSecure signs the SAML assertion
  5. You gain access to the Service Provider

Security Guarantees#

1 Secrets Never Leave the Secure Environment#

Unlike traditional identity providers, no human — including SplitSecure operators — ever has access to your signing keys. When your team approves a SAML assertion, shares are sent to a Secure Environment where the signing key is reconstructed ephemerally, used to sign the assertion, and immediately discarded.

2 Shares Protected in Transit#

Each team member’s cryptographic share is generated and stored exclusively on their device. When shares are transmitted to the Secure Environment for signing, they are always encrypted with perfect forward secrecy. The reconstructed secret exists only during computation and never leaves the Secure Environment.

Traditional PAM SplitSecure
Vendor holds master keys or secrets Reconstructed secrets exist only ephemerally in a Secure Environment
“Break glass” admin override possible No override capability exists
Vendor could grant themselves access Mathematically impossible for SplitSecure to sign without your team

3 No Vendor Access to Your Resources#

Because SplitSecure never possesses any share of your signing keys, we cannot grant ourselves — or anyone else — access to your resources. This is a fundamental architectural difference from traditional PAM providers, who typically retain the ability to access customer systems for support or recovery purposes.

Getting Started#

1 Prerequisites#

Before configuring SAML integrations, you need:

  1. SplitSecure mobile app installed and set up
  2. Web Companion paired with your mobile app
  3. A team created in SplitSecure

If you haven’t completed these steps, see the Getting Started guides.

2 Next Steps#

  1. Create a SAML2 Identity Provider — Set up your IdP in SplitSecure
  2. Configure Service Providers — Use the integration guides below to connect your services

Available Integrations#

Service Provider Description
AWS Amazon Web Services Console and CLI
Google Cloud Google Cloud Platform Console
Google Workspace Google Workspace admin and services
Microsoft Entra ID Azure AD / Microsoft 365
Okta Okta identity management
Cloudflare Cloudflare Dashboard and Zero Trust
Oracle Cloud Oracle Cloud Infrastructure
IBM Cloud IBM Cloud Console
PagerDuty PagerDuty incident management
Kandji Kandji MDM
Rapid7 Rapid7 security platform