Name: Simplifying SSO Onboarding with SAML & OIDC: Faster, Secure, and Self-Service
Uploaded: 2026-05-12T17:30:56.729Z
Duration: 26 min 42 s
Description: Simplifying SSO Onboarding with SAML & OIDC: Faster, Secure, and Self-Service

Transcript for "Simplifying SSO Onboarding with SAML & OIDC: Faster, Secure, and Self-Service": why don't I go ahead and kick things off here? So as I said, this event is being recorded. We'll share that recording out. Survey is available, that for you to fill out after the event. But it is my pleasure to introduce a senior technical product manager, Resma Sasikumar, to help present, the session on simplifying our single sign on, using the SAML and OIDC. So, Resma, would you go ahead and come on up here? Awesome. Hey, Resma. Alright. Well, I'll go ahead and hand things off to you. Thank you, Christine. Let me share my screen. Hello. Greetings for a great day. Today, we want to talk to you all about, Luminara Simplified SSO onboarding solution with SAML and OIDC protocol, which is the faster, secure, and self-service portal for our SSO producers to onboard into FNO. So in this session, we will be briefly talking about the different challenges we faced, with our legacy solution, the solution framework which we have adopted, the impact which the solution has brought into our customers, and, also, then we'll go through a detailed demonstration by Zulkarnain. So to start with the challenges, the legacy SSO onboarding solution for Revenera was a completely manual process, which was aided by the GCS team, which means that the producers of, SSO producers of Revenera were not able to onboard their users by themselves. And this dependency was a lengthy onboarding process, which cycles back and forth for coordination, and therefore, the time to create value was definitely more. And, hence, there was an adoption bottleneck happening. And there was also a small amount of cost associated with with each onboarding process. And this was definitely not the SaaS experience which we wanted to give our producers. And with this problem, we started with the initiative of coming up with a self-service portal for SSO onboarding. And then in twenty twenty four twelve, release we released the first increment of a self-service SSO onboarding portal with the Samuel onboarding protocol. So in this, this was a major inflection point in customer customer experience and cost efficiency where we cut down or cut, we just moved away from the dependency on GCS for the onboarding process and empowered our producers to independently configure and manage the SAML metadata into FLLO. The authentication was directly delegated to the custom managed IDPs. We currently support all the industry standard identity providers with strong focus on user experience, security, and SaaS test behavior. And, also, we eliminated the extra cost which was involved. And the adoption of this, release of this increment has, shown very good adoption and in, positive impact on our customers. So we were we successfully migrated 100% of our existing SSO SAML customers to this new service. It was a seamless adoption, and those customers are currently able to use the service for their management. When I say SSO management for the renewal of their certificates for managing their IDP metadata, and since this time of the last when we released, we have more than 10 plus new onboardings which happened to this, through the service. And we, are getting very good feedback, very positive feedback from our support team and customers. And there is a large number of reduction in the SSO related Jira tickets for the, data operation support from our, customers. So, basically, we have made a frictionless transaction or transition of, the SSO onboarding process. And, hence, we established a new benchmark for the SaaS onboarding at, autonomy. So after this increment of onboarding, we realized the need for, adding OIDC support for self-service portal because till then, we were only supporting family based onboarding for our customers. So for considering the new SaaS customers, considering the application of web based users, we introduced the auth two dot zero based, OIDC protocol in twenty twenty five twelve release. So, again, we made sure that we are providing a seamless OIDC onboarding, which enables a com OIDC complaint identity providers are authenticated are able to authenticate their users to Afinu. And, definitely, the OIDC is the SaaS first identity. And, this, is a future proof strategy for authentication for the SaaS market. Cumulatively, with these two increments or with these two phases of, strategic release, we were able to eliminate the manual onboarding process so that our producers are directly able to reach out to FNO, use the self-service portal, which has a a very detailed user experience or very seamless user experience, use this and onboard into FNO. And there is, the operational overhead, which was involved in that process is completely removed and, hence, we have a frictionless onboarding into, FNO. And since we are making use of all the industry standard protocols for this onboarding process or this authentication process, we are making sure the security and compliance for our customers and thereby establishing a SaaS grade identity and authorization for Flexera. With this, we will have a detailed demonstration, by Zulkarnain Chandray. He is the staff staff software developer at Revenera who was leading this project. Zulkarnain, can you come on stage and Thank you, Resma. Hi hi, everyone. I will be demand, the configuration of SSO on Flexera portal. I'll start by sharing my screen. Let me know, if my my screen is visible. Yes. It's visible, Zulkarnain. Right. Okay. So this is a recorded session. I'll just walk through, through the recording. So let me just start. So here, I am using a testing, tenant from our staging environment for this demo. So as of now, you can see, there's no SSO enabled for this tenant. So once we log in, I just want to, you know, emphasize on this point. Only those, users will be able to, enable SSO that that has a particular permission, assigned to their role. So when, you know, you try to, as a user when you're logging into a f n o system, so you you are a user the the role that is assigned to you as if you are user, it should have this manager as a supervision. Only then you will be able to, you know, set up this configuration. So I'm highlighting the role here as manages SSO. By default, this, permission is assigned to system administrators and, to super administrators as well. And, now to configure this, SSO settings. So under administer, you can see we have a section for single sign on, and you you you need to, you know, click on configure single sign on. As of now, you can see well, you know, if you see the status, it says, producer portal is not configured and and user portal is not configured. And here on the left hand side, you can see two buttons here for, configuring SSO for producer portal and configuring SSO for end user portal. So we'll start with end user portal. Right? So, again, here, if you see enable single signs on, so you can use this, particular, button to either enable or disable it. So as of now, this box is, you know, checked by default. You cannot uncheck it because there was no configuration. And, once if you have an configuration on on already there, you can use this to disable the configuration as well. And, you know, you can see the SSO type here is SAML. Let me just pause for a second. If you see, it's a drop down, where you will have couple of options. One is SAML and one is, one will be OIDC. And, you know, there are two entities in this operation in SSO operation. One is your service, provider, and one will be your identity provider. Identity provider is, you know, mostly it is the tenant or the producer who is responsible for managing identity provider. And Flexera is the service provider entity in this whole operation. So, so, so here is a button to download the service provider metadata. So this metadata is, needed by the identity providers to configure the single sign on from the identity provider side. So we need to do configuration on both the portals on the IDP and as well as on the, service provider. So this is the service provider, a f n o, system, and your IDPs like Okta, Intra, Salesforce, you know, they are the identity providers. So, this button, download service provider metadata. This is the XML file that will give you the information that is required for configuration of, you know, SSO on your portals, on your IDPs. And then in in here, we have a section for, identity provider metadata. So this is the data that, Flexera Operations, in this case, the service provider needs from the tenant or the producer. So you will see there is something called as, you know, identity provider metadata. So this is generally an XML file that is downloaded from the IDP, and you have the configure log of URL. So this URL is the URL where the user will be right redirected when they, you know, log out from Flexera Operations. There are, another two options are here. One is the force authentication upon logout. So this option, if we check-in this option, whenever a user logs out from a final system, you know, they will be asked for credentials again for the SSO session again. So even if it does, you know, they logged in for five minutes and they log out, and now they are trying to log in again, they will be asked for credentials because of this. So this is a security kind of, you know, option. And the last option is, you know, enabling the user login. You know? So this this option is a kind of backdoor. So this is not recommended for production, but, this is useful in situations where, you know, SSO is broken. Somehow, it is IDP is down or, you know, so some other issues user is not able to use SSO. You know, in in that case, this particular option is useful, but this is not recommended for production. You know, we have seen, you know, this is for the first time when you are doing the configuration. This might be helpful in, you know, debugging the issues if SSO is not working. Otherwise, we don't recommend, checking in this option. Yeah. Right. So, by clicking on that upload, identity provider metadata, from the IDP, I just uploaded an XML file. This is the IDP metadata, and I'll just, now, save this configuration. So once we save it, we'll see a pop up that the configuration is, saved. And, on the, you know, home screen for SSO, you will see, you know, record is created that will highlight, you know, what that for what portal and what type of, SSO we, did, who was the user here. And you can also see the transaction details, the option that we chose, and the IDP metadata file, and you can also download it. So this is a job, that is picked, you know, by in the in the background by, by our, runners. And, you know, this is they will apply the configuration on the gateway. So let me just pause for a second. I'll I just want to. Yeah. So if you see, as of now, the status is queued. So that means the job is not picked by the, you know, runners as of now. So we have on an average, it takes five minutes for this operations to be applied to, to reflect, actually. So when you do this so, you did this configuration at, for example, this time. And after five minutes or six minutes max, it will start, it will start, you know, working. Okay. So, meanwhile, once this is in progress, what I'll do is I'll just configure, SSO for producer portal using the OIDC protocol. So if you see here, I'm instead of Samuel, now I'll be selecting, SSO type as OIDC. Alright. Let me just pause for a second. Now if you see, the service provider metadata, it's again the same details. So we we in OIDC, you know, protocol as well, we need the details from both service provider and metadata, and IDP. You know? But the data changes, the the fields that, the data that is required now, it is different. If you see the metadata that is required by IDP, you know, the service provider metadata, it is just the redirect URL where the request will be, you know, once the user logs and, user will be redirected to this particular, you know, URL. So but this is very important. We you know, whatever is, you know, configured here, the same has to be configured on the IDP. If we, add a different link, even if it had different host alias, it will not work. So it has to be this it has to be same, whatever. Because the if you see, this is not an editable field. You cannot change it. So whatever, you know, redirect URL we have, it it generates automatically. The same has to be used on the IDP. And if we look at the configuration from the for the, you know, IDP, so you what, FNL needs from the IDP here is the client ID, the secret, and the issuer URL. Again, these are needed for the, what or, open ID flow. Again, we are not storing secrets anywhere. It is just we we are storing them in, secrets manager, so they are not exposed anywhere. Yeah. I'll let the recording go on. And in this demo, I haven't shown the configurations done on the IDP side for both the cases, but that is actually typically, job of, maybe IT admins. So I'm just copying, the credentials of the IDP that, we have configured, and I'll just, you know, save it here. And and I if you see one more job is submitted, this is for producer portal. This is so type here, if you see, is YDC. And, yeah. Again, it it has some transaction history where it will show the client that submitted this. And, I just, if you see the, status of the previous change that we did, it is in progress now. So that means the job is running that. So as I said, usually, it takes five to six minutes for the, for, the configuration to be applied. Yeah. So I have skipped that part, that waiting part, and I'll just, you know, log out and I'll show you how this works now. So this is where, the, you know, configurations were applied after waiting for five minutes. And now I'm now this part will show how this, SSO experience will look like for the customers. I'll just go back. So here, I am sorry. So here, if you see now, I'm trying to log in to again to that, test tenant, from our staging environment. So instead of now, sending me to, f n o for login using username and password, it will redirect me to the of where I have used the open ID, YDC protocol. So you can you can see here it is the auth, protocol where, you know, it it will ask us for the SSO. Any SSO, we have we have everybody experienced the how SSO experience, in a login box. We will have to enter the code for via from our intake, authentication applications. So here, I'm just trying to add a code. And, it's a normal, SSO login or IDP login. This is controlled by the IDPs. So this is this has nothing to do with the final. But once I sign in with the, you know, into Okta, Okta will, check my, you know, authentication if I'm an authentic user to to that system, and then it will redirect me back to FNO where I'll be directly logged in now. So you can see, I have been logged in with my username. This is the username. Right? And also, you can see the once the configuration is successful, you can see the status of both the jobs is not success. Right. Now I'm logging out of my producer portal. I will log in to my end user portal using, you know, the SSO. Sorry. Samuel, protocol now. So this was just a glitch where I, I did a wrong URL, the backdoor URL. So right. So I I configured a scan for, end user portal. So here, I am trying to use I log in my with Samuel. Yeah. Yeah. So now you can see after entering the credentials to intro, I I have I'm I'm being logged into end user portal. Here again, I'm checking the profile of my user. So we have tested this SSO, for both SAML and o open ID, or OIDC with the most of the IDPs, like intra, ping, IDPs that we have Salesforce. We have some custom as well because these are the protocols and most of the things are built on this. So we haven't seen any challenge. We have, you know, some legacy IDPs like I IBM's verify something. So that also we have integrated. Yeah. So this is staging environment. It might take some time. So, so this is my profile, the one I you are logged in with. And when I just log out, if you guys have remember the logout URL that I I have put in there, it goes revenera.com site will just redirect the user to this, endpoint. Yeah. Yeah. So that does it, from the recording. So, yeah, the only thing that I skipped was the waiting part where we have to wait, for five, six minutes for this configuration to be applied. Yeah. Thank you so much, Luca. Yep. We are open to questions. Yeah. Yeah. Thanks, Zulkarnain. Great great demo there. So as, Reshma said, feel free to submit your questions in the chat. And while we're waiting for for questions, I just wanna plug again the the survey. So feel free to provide us feedback on the session. And, also if you have any questions that you think of later, you know, you could also include those in the survey post the post event. So there's a QR code to make it easier as well as I've just shared, the same link that's in on the slide. Alright. So let's give another minute or so for folks to type things into the chat if they have any questions. Yeah. Yeah. That was a great demo, and thanks for for the, the context, Reshma. So just to confirm, this is this is already available in in Flexera operations. Is that correct? Yes. Yes. Yes. Yeah. Oh, great. So those customers looking to leverage, single sign on could utilize this, for their benefit. Right. So looks like I'm not seeing any questions in the chat. Alright. Well, don't wanna keep you guys. I know it's, it's probably been a busy week for a lot of folks. So I thank you all again for for your time, and big thanks to to Reshma and Zulkarnain for their, presentation here. The recording will be shared out. Of course, you can reach out to us if, you think of any questions after the fact, and be sure to share this recording out to your peers who might be, actually involved with, with implementing things like single sign on in your Flexera and operations. Alright. Well, thanks all. Have a great rest of your day, and, we'll catch you in the next one. Right. Take care. Bye bye. Thank you. Thank you. you. Thank you, everyone.