Purpose
SAML is a standard used by organizations to exchange authentication data between systems. Its primary role in online security is to allow you to access multiple web applications using one set of login credentials. It works by passing authentication information in a particular format between two parties, usually an identity provider (idP) and a web application.
SAML SP Initiated SSO Flow
How is it beneficial?
Enhances Security with SSO & 2FA
The primary benefit of SSO and 2FA is that it provides additional security layers and decreases the chance of consumer identities becoming compromised.
Improves User Experience
From a user perspective, SAML improves the overall experience as users are no longer required to identify themselves for each service, website or applications they have access to.
Provides Easier Termination
Termination can be easily done by deleting a single instance instead of a multiple across several services or environments.
Configuration
We (Booxi) can enable SAML in three simple steps:
You send us a link to the SAML Metadata of your Authentication system along with access to a test account.
We (Booxi) configure SAML.
We (Booxi) elaborate a deployment plan with you based on your requirements.
FAQ
"Does Booxi SAML Integration support multi domain?"
Yes, it's possible as long as your IDP supports it.
"What are the prerequisites for multi-domain support in Booxi?"
A user (unique user) can only be associated with 1 IDP.
Your business (i.e. store) can only be associated with 1 IDP.
The list of email domains (CSV format) is limited to 384 characters. (i.e. “@gmail.com,@mybusiness.com” = 26 characters)
"How can a user from a different domain be added?"
Such an addition requires modification to your database. To find out if you are eligible for this, consult your Booxi representative.
"Is it possible to support multi-domain after I go live with SAML?"
Yes, it's possible.
"Are SAML and non-SAML users allowed for the same merchant?"
Yes it's possible but we strongly advise against this as it defeats the purpose of SAML and increases risks of security breaches.
"How can I restrict SAML access to store-owned devices only?"
We (Booxi) cannot restrict such access but your IDP can. Okta, among other solutions, provides ways to do this.
"How are users created/deleted in a SAML environment?"
Users are managed as they would be in any other environment, their access being granted or revoked. As long as you have an associated IDP, staff will be using that IDP by default. A user needs to be created at the IDP level as well as in Booxi. To delete a user, its access should be removed at the IDP and Booxi level as well.
"What is Booxi's involvement when an employee’s access is removed?"
We (Booxi) are not involved in that process.
Your IT team, managing the IDP, should be involved in the removal of an employee. It should result in that employee’s access being revoked, preventing that user from connecting to Booxi. Its corresponding user in Booxi should be deleted to release its user license.
Special Cases & Limitations
If a user already accessed Booxi prior to SAML, using their personal email address (e.g.: @gmail.com), we (Booxi) will be required to match users manually which will result in a longer deployment.
When migrating existing users, they will receive emails with a request to login, after which their previous password will no longer be usable.
For more information about SAML and its implementation, consult your Booxi representative.