SAML Authentication

If your company uses a SAML IdP, you can use the IdP to authenticate Control Hub users.

SAML authenticates a user using the credentials stored in the IdP. SAML uses single sign on authentication so that users can log in to Control Hub and registered Data Collectors using the same credentials that they use for other web applications within your corporate network.

SAML provides single sign on for web applications. SAML single sign on transfers the user’s identity from one place (the identity provider or IdP) to another (the service provider or SP). Control Hub acts as the SAML service provider that works with the SAML IdP that you specify. The IdP can be in the cloud or on-premises. As the service provider, Control Hub does not directly access the IdP. Instead, all communication between Control Hub and the IdP is managed by the web browser.

When SAML authentication is enabled, users still require a Control Hub user account to log in to Control Hub or a registered Data Collector. After users enter their user account name, Control Hub sends the authentication request to the SAML IdP.

Control Hub SAML integration supports SAML 2.0 and supports SAML sessions initiated by the service provider only. It does not support sessions initiated by the identity provider.

As a service provider, Control Hub sends SAML AuthnRequest messages to the IdP Single Sign On (SSO) endpoint using SAML HTTP-Redirect and HTTP-POST bindings. The Assertion Consumer Service (ACS) endpoint used by Control Hub supports SAML HTTP-POST binding.