Concepts and Terminologies

SAML

SAML (Security Assertion Markup Language) is an authentication protocol for exchanging authentication and authorization data between an identity provider (IDP) and a service provider (SP). It exchanges XML documents between authentication servers and applications. XML signatures and encryption are used to verify requests and responses.

Identity providers

An identity provider (often abbreviated as IDP) is an entity that creates and manages identity information in SSO. It also provides authentication as a service to improve security and efficiency. The identity provider of Face Login is the service instance created in Identity Manager, containing the biometric information of users. This enables a more convenient and secure identity verification method by using faces.

Service providers

A service provider (often abbreviated as SP) is an entity that receives and accepts authentication information from another entity, usually an identity provider.

Clients

A client is an entity that requests identity information or an access token to securely invoke other services on the network that are secured by Face Login. To establish the binding, a client should include an Entity ID and a redirect URL.

The SAML Entity ID is the value that the remote Identity Provider uses to identify requests from this Service Provider. A redirect URL is used to exchange information in redirect binding in SAML.

Accounts

An account in Face Login is an entity that can log into binding service providers' systems. Meanwhile, since Face Login is built based on Identity Manager, it shares several attributes associated with the sign-on process, like email and username. Please notice that the account of Face Login is different from the JCV Cloudaccount that you used to sign into the management console page or the original account of the service provider.

Single-Sign-On and Single-Sign-Out (SSO)

Single-Sign-On is a mechanism used in computer security that enables users to access multiple applications or systems with a single set of login credentials. Instead of requiring users to remember and enter different usernames and passwords for each application, SSO allows them to authenticate once and gain access to all authorized applications seamlessly.

Due to the technical limit of some popular service providers not supporting third-party SAML single-sign-ou, SSO is not directly supported in Face Login. But we highly recommend using one of the service providers (commonly Microsoft 365 or Google Workspace), which supports SSO as the intermediate service provider for all other SAML applications. In this way, the intermediate service provider can redirect the SAML login request to Face Login and use facial recognition as the login method while using the feature provided by the intermediate service provider to achieve SSO.