Overview
Vahana Application supports SAML-based Single Sign-On (SSO), allowing clients to authenticate into the Vahana platform (Service Provider - SP) using their own Identity Provider (IDP). This integration provides secure, seamless, and standardized authentication.
To enable SAML SSO, the samlauthentication microservice must be deployed on the client’s VRT environment. In the Vahana Sandbox environment, this microservice is already deployed. Tenant-specific configurations must be added to enable SSO.
Configuration Steps
1. Tenant Configuration
Add the client’s tenant details to the application.properties (or config map in Kubernetes) in the following format:
tenant.details = orgId~appId~tenantId
For multiple tenants, separate entries using commas.
After updating, restart the microservice.
Prerequisites
From IDP to SP (share with SP for each environment):
- Federation Metadata or SSO Login URL and SSO Logout URL.
From SP to IDP (share with IDP for each environment):
-
Assertion Consumer URL (ACS):
{{HOST}}/samlauthv2/callback
-
Metadata URL:
{{HOST}}/samlauthv2/login
-
Logout URL:
{{HOST}}/samlauthv2/logout
SP-Side Configuration
The following backend services must be created on the Vahana SP side:
-
GET_SAML_SSO_CONFIG
- Returns a list of SAML configuration parameters for the tenant.
| Field | Mandatory (Y/N) | Default / Provided Value | Details |
|---|---|---|---|
| identifier | Y | Configured tenant id in samauth service | |
| tenant.details = orgId~appId~tenantId | |||
| orgId | Y | orgId | |
| appId | Y | appId | |
| dashboardUrl | Y | dashboard url | |
| idpLogingUrl | Y | IDP SSO Login Url | |
| idpLogoutUrl | Y | IDP SSO Logout Url | |
| spLoginCallbackUrl | N | As per host | {{HOST}}/samlauthv2/callback |
| spEntityID | N | As per host | {{HOST}}/samlauthv2/login |
| encryptClientPayload | N | Y | |
| forceLogin | N | FALSE | |
| onlyLoginId | N | Y | |
| userCheck | N | N | |
| validateSignature | N | Y | |
| validateStatus | N | Y | |
| sessionTimeCheck | N | Y | |
| timeSkewInSec | N | “+:5” | |
| spName | N | DECIMAL | |
| reauthenticate | N | N | |
| expirationLeewaySeconds | N | 10 | |
| expiry0 | N | auth request timeout in sec |
-
GENERATE_SSO_TOKEN
- Generates SSO token post successful SAML authentication.
-
SPCHECKUSERSSO
- Validates authenticated SSO users.
Login URL Options
1. Using Identifier
{{HOST}}/samlauthv2/login?identifier={{identifier from tenant-details}}
2. Using Encrypted Payload
{{HOST}}/samlauthv2/login?encryptedPayload={{encryptedPayload}}
Note: identifier must be included inside the decrypted key-value payload.
Authentication Flow
SP-Initiated Login Flow
-
User hits the login URL.
-
Microservice fetches SAML configuration by calling GET_SAML_SSO_CONFIG.
-
If configuration exists, microservice redirects the user to the IDP login page (Azure AD, Okta, AD, etc.).
-
User enters credentials on the IDP.
-
IDP sends SAML Response to:
{{HOST}}/samlauthv2/callback
-
Microservice validates the SAML Response.
-
After successful validation:
- Calls GENERATE_SSO_TOKEN.
- Generates
ssoToken. - Returns
ssoToken,loginId, andclientPayload(if present) to the dashboard URL.
-
Web/Mobile application validates the
ssoToken. -
Application creates a Vahana session.
-
User is redirected to dashboard to access services.
IDP-Initiated Login Flow
- User logs directly into the IDP.
- IDP sends SAML response to the SP callback URL.
- Microservice validates the SAML response.
- SSO token is generated.
- User is redirected to the SP dashboard.
Conclusion
Vahana’s SAML SSO integration allows enterprises to authenticate users through their own identity providers while securely accessing Vahana services. With proper configuration of tenant details and supporting services, both SP-initiated and IDP-initiated flows are fully supported, ensuring seamless and secure login experiences across environments.