Overview
Understanding SAML 2.0 and how SplitSecure acts as your Identity Provider
What is SAML 2.0?
Security Assertion Markup Language
SAML 2.0 (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties. It enables Single Sign-On (SSO), allowing users to authenticate once and access multiple services.
A SAML flow involves two parties:
| Party | Role |
|---|---|
| Identity Provider (IdP) | Authenticates users and issues assertions |
| Service Provider (SP) | Trusts the IdP and grants access based on assertions |
How SAML Authentication Works
- User attempts to access a Service Provider (e.g., AWS Console)
- Service Provider redirects to the Identity Provider
- Identity Provider authenticates the user
- Identity Provider sends a signed assertion back to the Service Provider
- Service Provider validates the assertion and grants access
SplitSecure as Your Identity Provider
Threshold-Protected Authentication
SplitSecure acts as a SAML 2.0 Identity Provider with a critical difference: authentication requires threshold approval from your approval set.
| Traditional IdP | SplitSecure IdP |
|---|---|
| Single admin controls access | Approval set threshold controls access |
| One compromised account = breach | No single point of failure |
| Limited audit trail | Full approval audit trail |
How It Works
When you authenticate through SplitSecure:
- You initiate login to a Service Provider
- SplitSecure creates an authentication proposal
- Approval set members approve on their mobile devices
- Once threshold is reached, SplitSecure signs the SAML assertion
- You gain access to the Service Provider
The signing key for SAML assertions is protected by threshold cryptography. No single person — not even SplitSecure — can sign assertions without approval set approval.
Security Guarantees
Secrets Never Leave the Secure Environment
Unlike traditional identity providers, no human — including SplitSecure operators — ever has access to your signing keys. When your approval set approves a SAML assertion, shares are sent to a Secure Environment where the signing key is reconstructed ephemerally, used to sign the assertion, and immediately discarded.
Shares Protected in Transit
Each approval set member’s cryptographic share is generated and stored exclusively on their device. When shares are transmitted to the Secure Environment for signing, they are always encrypted with perfect forward secrecy. The reconstructed secret exists only during computation and never leaves the Secure Environment.
| Traditional PAM | SplitSecure |
|---|---|
| Vendor holds master keys or secrets | Reconstructed secrets exist only ephemerally in a Secure Environment |
| “Break glass” admin override possible | No override capability exists |
| Vendor could grant themselves access | Mathematically impossible for SplitSecure to sign without your approval set |
No Vendor Access to Your Resources
Because SplitSecure never possesses any share of your signing keys, we cannot grant ourselves — or anyone else — access to your resources. This is a fundamental architectural difference from traditional PAM providers, who typically retain the ability to access customer systems for support or recovery purposes.
There is no “back door” and no recovery mechanism that bypasses your approval set’s threshold. Your approval set has complete, exclusive control over authentication.
Getting Started
Prerequisites
Before configuring SAML integrations, you need:
- SplitSecure mobile app installed and set up
- Web App paired with your mobile app
- An approval set created in SplitSecure
If you haven’t completed these steps, see the Getting Started guides .
Next Steps
- Create a SAML2 Identity Provider — Set up your IdP in SplitSecure
- Configure Service Providers — Use the integration guides below to connect your services
Available Integrations
| Service Provider | Description |
|---|---|
| AWS | Configure AWS IAM SAML federation |
| Cloudflare | Configure Cloudflare Zero Trust SSO |
| Microsoft Entra ID | Configure Microsoft Entra ID federation |
| Google Cloud Platform | Configure GCP Workforce Identity Federation |
| Google Workspace | Configure Google Workspace SSO |
| Google Workspace (Legacy) | Legacy Google Workspace SSO configuration |
| IBM Cloud | Configure IBM Cloud App ID federation |
| Iru | Configure Iru MDM SSO |
| Okta | Configure Okta as a SAML Identity Provider |
| Oracle Cloud | Configure Oracle Cloud Infrastructure SAML |
| PagerDuty | Configure PagerDuty incident management SSO |
| Rapid7 | Configure Rapid7 SAML 2.0 federation |
Last updated: