Working with SAML integration

The SAML documentation details federated access management within Matrix through Security Assertion Markup Language 2.0 (SAML 2.0). This includes a detailed look at the SAML account manager asset type and an integration example of its usage.

The SAML package requires SimpleSAMLphp (version 1.14+) to be installed on the Matrix server. If you are using Matrix 5.2 or below, please use version 1.13. Squiz recommends to use memcache or SQL instead of phpsession for SimpleSAMLphp session handling to prevent session conflict between SimpleSAMLphp and Matrix.

Read the SimpleSAMLphp maintenance documentation for SimpleSAMLphp session configuration.

Federated access management involves managing a user’s identity, stored across multiple systems, allowing users to use the same identification data to obtain access to each.

Security assertion markup language 2.0 (SAML 2.0) is an XML-based standard for authenticating and authorizing access to secure domains, that is, between an identity provider and a service provider. SAML 2.0 enables web-based authentication, providing federated access management through single sign-on and identity verification.

Matrix employs this federated access management model to provide authentication through SAML 2.0 identity providers using SimpleSAMLphp integration.

SAML federated access management within Matrix

When a user first accesses Matrix through the SAML account manager asset, they will be redirected to the SAML 2.0 identity provider for authentication. Once the identity provider has validated a user’s identification, they will be redirected back to Matrix.

A user’s Matrix account will be associated with the SAML identity, enabling federated access to the system, automatically signing the user into their account as part of the SAML authentication process. If no associated user account is found, the user will be able to either create a new account within Matrix to use for federated access or sign-in to an existing account to link to the authenticated identity.

SimpleSAMLphp integration within Matrix

For Matrix to provide federated access management, the SimpleSAMLphp application must be correctly configured and installed on the same server as your Matrix installation.

Read the SimpleSAMLphp installation guide for more information.

Matrix uses SimpleSAMLphp as a library. Therefore, Apache web access of SimpleSAMLphp is not required and can be revoked once it has been configured and integrated with Matrix. SimpleSAMLphp requires PHP version 5.2.0 or higher.

Once you have installed SimpleSAMLphp, edit the Matrix tools configuration file (located at data/private/conf/, defining the directory path to SimpleSAMLphp, as follows:

define('SQ_TOOL_SIMPLESAMLPHP_PATH', 'path/to/simplesamlphp');

Your Matrix system should now be correctly integrated with SimpleSAMLphp. You can verify this by creating a SAML account manager asset. The SimpleSAMLphp status field should read Installed, as shown in the figure.

The SimpleSAMLphp status field

Read the SimpleSAMLphp service provider quickstart guide for configuration steps for setting up SimpleSAMLphp as a service provider.

Configuration may differ depending on your identity provider. Refer to your IdP’s integration guide for more information on setting up your SAML integration.