Rublon

Secure Remote Access

Last updated on September 1, 2025

MFA for SAML is a secure type of authentication that enables Multi-Factor Authentication for your users in a Single Sign-On (SSO) infrastructure. It is important to note that MFA for SAML does not add MFA to SAML itself because SAML is not an authentication protocol. Instead, SAML MFA adds MFA for Active Directory, LDAP, or RADIUS users and strengthens these users’ SSO logins with secondary authentication such as Mobile Push or WebAuthn/U2F Security Key. 

What is SAML?

Security Assertion Markup Language (SAML) is an open standard XML-based markup language that allows exchanging of authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). The Identity Provider is a SAML authority that performs authentication and passes the user’s identity and authorization level to the Service Provider. The Service Provider must trust the Identity Provider as it authorizes the user to access a resource.

MFA for SAML and Single Sign-On (SSO)

You can use SAML to enable Single Sign-On (SSO) for cloud applications. Briefly speaking, SSO requires you to enter your login and password only once and then access any cloud application you want without re-entering your login credentials. Single Sign-On delivers a streamlined user experience because users do not waste time entering their passwords multiple times a day. Also, SSO allows for centralized identity management (IAM) for cloud apps because users can use the same set of credentials for all applications. Administrators save time because they do not have to configure security policies for every cloud app separately. All in all, Single Sign-On makes everybody’s life easier.

How to Make Single Sign-On (SSO) More Secure?

You can add Multi-Factor Authentication (MFA) to your Single Sign-On (SSO) logins to improve the security of your user logins. An extra layer of protection in the form of a Mobile Push notification or a Mobile Passcode based on the TOTP algorithm can drastically reduce the likelihood of a successful cyberattack.

In standard SSO, users provide their password once and never enter the password again, as long as their SAML session is still active.

With MFA on, the user provides their password and accepts the Mobile Push authentication request to get access. Then, they do not have to provide their password. However, every time they log in to another cloud app, they have to accept the Mobile Push request again. Mobile Push is a comfortable and fast one-tap authentication method. Your users will hardly see the difference, but they will be much more secure.

How Does SAML MFA Work With SSO?

To enable MFA on your cloud apps, you need to deploy the Rublon Access Gateway as an IIS server. Users sign in to the Rublon SSO Portal and then select the cloud app from the gallery of available applications. The SSO Portal is a part of the Rublon Access Gateway and needs additional (albeit short and easy) configuration.

With Rublon MFA enabled, the Rublon Access Gateway only uses the SAML protocol to communicate with Service Providers (cloud applications).

Rublon Access Gateway does not use SAML to communicate with Identity Providers (user databases). To speak with an Identity Provider, Rublon Access Gateway uses either the RADIUS protocol (if you store your users in, e.g., FreeRADIUS) or the LDAP protocol (if you store your users in, e.g., Active Directory).

Diagram for MFA + SSO + SAML

1. Bob signs in to the Rublon SSO Portal by providing their login and password (1)

2. Rublon Access Gateway checks the login and password against the Identity Provider (2)

3. If the password is correct, Rublon Access Gateway contacts the Rublon API (3) and asks the Rublon API to send a Mobile Push authentication request to Bob’s phone (4)

4. If Bob accepts the push, Bob gets access to the SSO Portal

5. Bob can now sign in to any of the cloud apps without having to enter their password again

6. Let’s say Bob wants to sign in to Cloud App 1

7. Rublon Access Gateway contacts the Rublon API (3) and asks the Rublon API to again send a Mobile Push authentication request to Bob’s phone (4)

8. If Bob accepts the push, Bob gets access to Cloud App 1 (5)

9. If Bob wants to access Cloud App 2 or Cloud App 3 now, they can do that without re-entering their password. However, they have to accept the Mobile Push each time (3), (4), (5)

Security and User Experience Considerations

Rublon requires Bob to accept the Mobile Push sign-in request (or undergo any other authentication method) each time Bob selects the cloud app in the SSO Portal. Rublon adds this security measure to the SSO process to secure your user’s SAML session.

Administrators can create a custom policy in the Rublon Admin Console that allows users to bypass Multi-Factor Authentication (MFA) on the current device for some time. Suppose the administrator of Bob’s organization allows setting Remembered Device for, say, one hour. In that case, Bob can check the Remember this device checkbox while signing in to the Rublon SSO Portal. Then, for one hour, Bob will not have to accept the Mobile Push request to access the cloud apps integrated with Rublon. Even though remembering the device is more comfortable for the user, it is less secure. One hour is a short time, making the trade-off between security and comfort acceptable. Naturally, you can set the time to be more than one hour. However, we do not recommend that administrators allow users to remember their devices for more than two weeks.

How Can I Enable MFA on My Cloud Apps Using SAML?

Here’s a step-by-step guide on how to enable Rublon MFA on one or more of your cloud apps:

  1. Deploy and configure the Rublon Access Gateway.
  2. Configure the Rublon SSO Portal.
  3. Find the integration instructions for your cloud app in our documentation.
  4. Follow the instructions and integrate the cloud app with the Rublon Access Gateway.
  5. Repeat steps 2 and 3 for any number of cloud apps you want.
  6. Sign in to the Rublon SSO Portal and access any of the integrated cloud applications without having to provide your password again.

You can also define Custom Policies in the Rublon Admin Console and assign them to one or more cloud apps. Access Policies allow you to let users remember their devices, add Authorized Networks, decide which authentication methods to enable, and more.

Related Posts