AX1412

Using SAML Authentication

You can enable SAML Authentication for Axiom Capital Planning, so that users are authenticated based on a designated identity provider (such as Shibboleth or Windows Active Directory Federation Services). This option is only supported for use with Axiom Cloud systems.

SAML Authentication behavior

SAML Authentication (Security Assertion Markup Language) is a web-based authentication method. Users access Axiom Capital Planning by going to the Axiom Web Client in a browser. Users must enter their user name and password for their identity provider. Once they are authenticated, if the user name matches a user name in Axiom Capital Planning, then the user can access the Axiom Web Client or install / launch the Axiom Excel Client or Windows Client from the web page.

Users assigned to SAML Authentication can only access Axiom Capital Planning from the web. The Excel Client and Windows Client cannot subsequently be launched using a shortcut on the user's computer; the user must continue to log into the Axiom Web Client in order to start the Desktop Client. When using SAML Authentication, you may want to configure the Axiom Application Server installation so that no shortcuts are placed on user computers during the client installation, since users will not be able to use these shortcuts.

Setting up SAML Authentication

The following summarizes the setup process for SAML Authentication.

1. SAML Authentication must be enabled for the system.

   For Axiom Cloud systems, Axiom Support will enable SAML Authentication for you as part of the system setup, if that is your chosen authentication method.

2. Complete any additional configuration requirements to enable SAML Authentication.

   SAML Authentication requires additional setup steps. These steps differ depending on the designated identity provider. Please contact Axiom Support for assistance in completing the SAML Authentication setup.

3. In security, Axiom Capital Planning users must be set up as follows to support SAML Authentication:

   • The user's Axiom Capital Planning login name must match their login name for the SAML identity provider (with or without an @suffix as appropriate).

   • The user's Authentication method must be set to SAML.

If you need to test the security settings of a SAML Authentication user, you can use the Log in as selected user feature to log in to Axiom Capital Planning as that user. For more information, see Testing user security.

Logging in as an Axiom Prompt user when SAML Authentication is enabled

You can also set up Axiom Prompt users when SAML Authentication is enabled, such as to allow Axiom Support to access the system without giving them credentials for the SAML identity provider. These users must go a special area of the web site in order to log in: