AX1412

Using SAML Authentication

You can enable SAML Authentication for Axiom Cost Accounting, so that users are authenticated based on a designated identity provider (such as Shibboleth or Windows Active Directory Federation Services). This option is only supported for use with Axiom Cloud Service systems.

SAML Authentication behavior

SAML Authentication (Security Assertion Markup Language) is a web-based authentication method. Users access Axiom Cost Accounting by going to the Axiom Web Client in a browser. Users must enter their user name and password for their identity provider. Once they are authenticated, if the user name matches a user name in Axiom Cost Accounting, then the user can access the Axiom Web Client or install / launch the Axiom Excel Client or Windows Client from the web page.

Users assigned to SAML Authentication can only access Axiom Cost Accounting from the web. The Excel Client and Windows Client cannot subsequently be launched using a shortcut on the user's computer; the user must continue to log into the Axiom Web Client in order to start the Desktop Client. When using SAML Authentication, you may want to configure the Axiom Application Server installation so that no shortcuts are placed on user computers during the client installation, since users will not be able to use these shortcuts.

NOTE: SAML Authentication is not supported for use with the iPad app.

Setting up SAML Authentication

The following summarizes the setup process for SAML Authentication.

1. SAML Authentication must be enabled for the system.

   For cloud systems, Kaufman Hall Software Support will enable SAML Authentication for you as part of the system setup, if that is your chosen authentication method.

2. Complete any additional configuration requirements to enable SAML Authentication.

   SAML Authentication requires additional setup steps. These steps differ depending on the designated identity provider. Please contact Kaufman Hall Software Support for assistance in completing the SAML Authentication setup.

3. In security, Axiom Cost Accounting users must be set up as follows to support SAML Authentication:

   • The user's Axiom Cost Accounting login name must match their login name for the SAML identity provider (with or without an @suffix as appropriate).

   • The user's Authentication method must be set to SAML.

If you need to test the security settings of a SAML Authentication user, you can use the Log in as selected user feature to log in to Axiom Cost Accounting as that user. For more information, see Testing user security.

Logging in as an Axiom Prompt user when SAML Authentication is enabled

You can also set up Axiom Prompt users when SAML Authentication is enabled, such as to allow Kaufman Hall Software Support to access the system without giving them credentials for the SAML identity provider. These users must go a special area of the web site in order to log in: