SAML SSO authentication

SAML authentication allows Service providers and enterprises with multiple subsidiaries to reduce costs by offload the Identity Management burden to the identity providers. Integrating with third party Identity Providers allows customers and partners to provide end users with a true SSO experience.

Comparing to previously described scenarios, the new server role needs to be added the Farm. As part of the SAML SSO process, the new host with RAS Enrollment Server component communicates with Microsoft Certificate Authority (CA) to request, enroll, and manage digital certificates on behalf of the user to complete authentication without requiring the users to put in their Active Directory credentials.

Parallels RAS supports the following delivery options:

• Web Client

• Web Client portal initiated SAML for Windows

• Web Client initiated SAML for Mac and Linux

• Web Client initiated SAML for Android and iOS

• Parallels Client for Windows initiated SAML Authentication

• Parallels Client for Mac initiated SAML Authentication

The below high-level logical diagram depicts SAML authentication and login process within a Parallels RAS environment:

The SAML authentication and login steps on the diagram above are:

1. RAS Secure Gateway redirects the Parallels Client login request to the IdP site.

2. The user authenticates with IdP.

3. IdP redirects the user to the RAS Secure Gateway with the SAML Assertion.

4. The user is authenticated using the SAML Assertion and the user is logged in.

5. The list of the available RAS published resources is retrieved.

6. The user chooses a published resource and launches it from Parallels Client.

7. The launch request from the user is sent to the server side and the resource is started on the available server.

8. A Parallels RAS session is established.

9. User certificate is processed:

   • Certificate is requested.

   • Certificate is created.

   • Encryption is preformed using the certificate.

10. Smartcard logon.