Overview

Understanding SAML 2.0 and how SplitSecure acts as your Identity Provider

What is SAML 2.0?

Security Assertion Markup Language

SAML 2.0 (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties. It enables Single Sign-On (SSO), allowing users to authenticate once and access multiple services.

A SAML flow involves two parties:

Party Role
Identity Provider (IdP) Authenticates users and issues assertions
Service Provider (SP) Trusts the IdP and grants access based on assertions

How SAML Authentication Works

  1. User attempts to access a Service Provider (e.g., AWS Console)
  2. Service Provider redirects to the Identity Provider
  3. Identity Provider authenticates the user
  4. Identity Provider sends a signed assertion back to the Service Provider
  5. Service Provider validates the assertion and grants access

SplitSecure as Your Identity Provider

Threshold-Protected Authentication

SplitSecure acts as a SAML 2.0 Identity Provider with a critical difference: authentication requires threshold approval from your approval set.

Traditional IdP SplitSecure IdP
Single admin controls access Approval set threshold controls access
One compromised account = breach No single point of failure
Limited audit trail Full approval audit trail

How It Works

When you authenticate through SplitSecure:

  1. You initiate login to a Service Provider
  2. SplitSecure creates an authentication proposal
  3. Approval set members approve on their mobile devices
  4. Once threshold is reached, SplitSecure signs the SAML assertion
  5. You gain access to the Service Provider

Security Guarantees

Secrets Never Leave the Secure Environment

Unlike traditional identity providers, no human — including SplitSecure operators — ever has access to your signing keys. When your approval set approves a SAML assertion, shares are sent to a Secure Environment where the signing key is reconstructed ephemerally, used to sign the assertion, and immediately discarded.

Shares Protected in Transit

Each approval set member’s cryptographic share is generated and stored exclusively on their device. When shares are transmitted to the Secure Environment for signing, they are always encrypted with perfect forward secrecy. The reconstructed secret exists only during computation and never leaves the Secure Environment.

Traditional PAM SplitSecure
Vendor holds master keys or secrets Reconstructed secrets exist only ephemerally in a Secure Environment
“Break glass” admin override possible No override capability exists
Vendor could grant themselves access Mathematically impossible for SplitSecure to sign without your approval set

No Vendor Access to Your Resources

Because SplitSecure never possesses any share of your signing keys, we cannot grant ourselves — or anyone else — access to your resources. This is a fundamental architectural difference from traditional PAM providers, who typically retain the ability to access customer systems for support or recovery purposes.

Getting Started

Prerequisites

Before configuring SAML integrations, you need:

  1. SplitSecure mobile app installed and set up
  2. Web App paired with your mobile app
  3. An approval set created in SplitSecure

If you haven’t completed these steps, see the Getting Started guides .

Next Steps

  1. Create a SAML2 Identity Provider — Set up your IdP in SplitSecure
  2. Configure Service Providers — Use the integration guides below to connect your services

Available Integrations

Service Provider Description
AWS Configure AWS IAM SAML federation
Cloudflare Configure Cloudflare Zero Trust SSO
Microsoft Entra ID Configure Microsoft Entra ID federation
Google Cloud Platform Configure GCP Workforce Identity Federation
Google Workspace Configure Google Workspace SSO
Google Workspace (Legacy) Legacy Google Workspace SSO configuration
IBM Cloud Configure IBM Cloud App ID federation
Iru Configure Iru MDM SSO
Okta Configure Okta as a SAML Identity Provider
Oracle Cloud Configure Oracle Cloud Infrastructure SAML
PagerDuty Configure PagerDuty incident management SSO
Rapid7 Configure Rapid7 SAML 2.0 federation

Last updated: