About SAML

Notes: CSM supports SAML 2.0. The CSM Outlook Add-in does not currently support SAML authorization. SAML is Federal Information Processing Standard (FIPS)-compliant to help ensure compliance with federal security and data privacy requirements.

In our environment, CSM acts as a service provider and has been tested with the following identity providers:

  • Microsoft® Active Directory® Federated Services (ADFS) 2.0
  • Shibboleth®
  • SSOCircle

When a CSM User starts CSM (any Windows Client or Browser Application, Cherwell Mobile™ for Android™ or Cherwell Mobile for iOS), a Cherwell Service sends an authentication request to the User’s identity provider. If the User is not already logged into his identity provider, the identity provider displays a login window where the User can enter his credentials, which are authenticated by the identity provider. If the authentication is successful, the identity provider passes a response containing one or more assertion statements to the Cherwell assertion consumer Service. An assertion indicates that the identity provider has successfully authenticated the User and includes a User name ID (ex: e-mail address or Windows login ID) and possibly additional optional attributes about the User (ex: Name, department, etc.). The Cherwell Service uses the Name ID to find the User information in the CSM User database (the User can be either a Customer or an internal User), and then logs the User into the Cherwell Desktop Client application without requiring further User interaction.

Note: SAML is designed for browsers, CSM Desktop Client applications open a browser window when initiating support of the SAML authentication process. After SAML authentication has completed successfully, this window automatically closes. Each CSM Desktop Client application maintains its own separate session information, so every time a User logs in to a CSM Desktop Client, they are prompted to log in to the identity provider (with the exception of ADFS, which uses the current Windows session information).

The figure shows the CSM SAML SSO process.

Note: Before SAML can be used, the integration must be configured in CSM Administrator and in the identity provider.

SAML Single Sign-on Process

The figure shows the CSM SAML IdP Initiated process.

SAML IdP Initiated Login Process

© Copyright 2018 Cherwell Software, LLC. All rights reserved.