Starting with version 3.6.0, the SAML Single Sign-On app can delegate the WebSudo authentication to the SAML IdP.


Limitations

  1. WebSudo with SSO does not work with transient NameIDs
    This is because the SAML NameID from the additional authentication must be the same as the one from the initial login

  2. WebSudo with SSO does not work with the Set RememberMe Cookie option enabled, so please disable it as pictured below


    Once the remember me cookie is used to establish a user session again it is no longer a SAML session.
    The only workaround, for now, is to log out and log in with SAML SSO again, should you not see the blue reauthenticate button.

This is disabled by default. To enable it, click the the checkbox Enable additional authentication in the SAML SSO app's IdP configuration.

If the current admin user is logged in using SAML and this setting is enabled for the IdP the user has authenticated with,
the WebSudo page shows a Re-Authenticate button. 

Clicking this button will open a new browser window with the IdP's authentication page where the user needs to authenticate again.

The SAML authentication request for this authentication is sent with the flag ForceAuthn="true". This tells the IdP not to rely on an active session but request credentials.

After successful authentication, starting the WebSudo session must be confirmed before the window is closed automatically:


Please also enable the following, provided that you are using version 4.0.7 or later:

Navigate to the Advanced settings and enable the Set Samesite=None on the session cookie checkbox, save the settings and you're good to go.

If you are using an older version and can't or don't want to upgrade, please refer to the alternative options 2, 3, 4 or 5