SAML (Security Assertion Markup Language)

SAML is an XML-based open standard for exchanging authentication and authorization data between parties. In MDM environments, SAML enables enterprise SSO for MDM administrator consoles and user portals, allowing organizations to use existing identity infrastructure (like Okta or Azure AD).

What to Know

SAML enables single sign-on across enterprise applications, allowing users to authenticate once with their identity provider and access multiple applications without re-entering credentials. For MDM platforms, SAML integration eliminates separate MDM passwords for admins, reducing credential management overhead and enabling consistent enforcement of authentication policies (MFA, password complexity, session timeouts) defined at the identity provider level. SAML assertions carry identity and authorization information cryptographically signed by the identity provider, preventing tampering and enabling trust across organizational boundaries.

SAML is particularly important for enterprises with established identity infrastructure and multiple SaaS applications. Rather than managing passwords in every application, IT maintains a single source of truth in the identity provider. User lifecycle management is simplified — when employees leave, disabling their account in the identity provider immediately revokes access to all SAML-connected applications. SAML also enables just-in-time provisioning where user accounts are created automatically upon first login, reducing onboarding friction.

Common Scenarios

Enterprise IT: Corporate IT integrates MDM with Azure AD or Okta using SAML to enable SSO for MDM admins, eliminating separate MDM credentials and enabling consistent MFA enforcement. IT configures SAML by registering the MDM platform in the identity provider, exchanging metadata files that define endpoints and certificates, and mapping SAML attributes to MDM user roles. SAML attribute-based access control allows IT to grant different MDM permissions based on Active Directory groups or Okta groups embedded in SAML assertions. Session timeout policies defined in the identity provider automatically apply to MDM console sessions.

MSP: MSPs use SAML to enable technicians to access multiple client MDM instances through federated authentication, eliminating per-client credential management. SAML enables just-in-time provisioning where technician accounts are created automatically when first accessing a client MDM instance. MSPs should implement SAML best practices including certificate rotation schedules, proper attribute mapping, and logout propagation to ensure sessions terminate properly. SAML metadata updates when renewing certificates require coordination across all integrated applications to prevent authentication failures.

Education: School districts integrate MDM with Google Workspace or Microsoft 365 using SAML, allowing IT staff to authenticate to MDM consoles using school credentials. SAML simplifies administrator lifecycle management — when staff change roles or leave the district, access changes in the identity provider automatically affect MDM permissions. Educational SAML configurations must carefully map attributes to avoid inadvertently granting excessive permissions based on broadly-scoped directory groups.

In Addigy

Addigy supports SAML 2.0 integration for administrator single sign-on, enabling organizations to integrate with SAML-compliant identity providers like Okta, Azure AD, OneLogin, and others. Administrators configure SAML by exchanging metadata between Addigy and their identity provider, establishing the trust relationship and endpoint configurations. Addigy supports SAML attribute mapping for user identification and role assignment based on identity provider groups.

Addigy’s SAML configuration wizard guides admins through the setup process, providing clear documentation and troubleshooting guidance. Addigy validates SAML assertions and handles session management automatically, abstracting protocol complexity while maintaining security best practices. Organizations can enforce MFA and other authentication policies at the identity provider level, with those policies automatically applying to Addigy console access through SAML integration. Addigy support can assist with SAML troubleshooting including assertion analysis and attribute mapping verification.