Hitachi ID Password Manager includes a Security Assertions Markup Language (SAML) identity provider (IdP) . This allows users to sign into a variety of federation-capable apps using a Password Manager login process, rather than using app-specific credentials.

The sequence for this externalized authentication will be as follows:

  1. A user accesses application at URL A.
  2. URL A (the service provider (SP) ) redirects the user to Password Manager at URL B.
  3. The user enters their login ID into Password Manager.
  4. Password Manager prompts for appropriate credentials. Different users may be asked for different sequences of credentials, based on their group memberships and/or identity attributes.
  5. Password Manager generates a SAML 2.0 assertion, indicating who the user is and what they are allowed to access.
  6. The user is redirected back to URL A, with the signed assertion.

This mechanism takes full advantage of the Password Manager policy framework:

  1. How users are authenticated is controlled using authentication chains, which support contextual selection of a suitable login process and multi-step logins, for example combining CAPTCHA, sending the user a PIN and asking for a password.
  2. Password Manager can evaluate user membership in user classes and inject assertions about what the user should have access to in SAML assertion it sends to service providers. This adds role-based access control to applications that support receiving authorization information in SAML assertions.

The following figure illustrates this sequence:

SAML 2.0 browser redirect sequence

Federated Launchpad


  • A user signs into Password Manager and launches login sessions to other applications.

Key concepts:

  • Single sign-on to SaaS applications and other apps that support SAML.
  • Applications need not maintain their own login pages or passwords.
  • Password Manager includes a 2FA mobile app so can add strong authentication to integrated applications.
  • Users can sign in once (into Password Manager) and launch multiple login sessions (into integrated applications).
  • A SAML 2.0 IdP and an application launchpad (for SSO) are included in the base Password Manager product -- no extra fees.