SAML Support on TT

Trading Technologies offers a SAML 2.0-based method of single sign-on (SSO) for the TT® platform. SAML 2.0 is an open standard for passing user login data and attributes between an identity provider (IdP) and a service provider (SP).

In the following diagram, TT plays the role of the SP and is the resource being accessed. The IdP is the customer who checks passwords and performs the login steps for their users.

The diagram shows the process for SP-initiated SSO login (used in mobile and some web cases):

1. TT and the IdP exchange metadata, which is primarily URLs and X509 certificates for signing the assertions that allow the SSO to happen. After TT and the IdP are both registered with each other, the user from the IdP accesses a TT resource (e.g., Trade application or TT Mobile).

2. TT identifies the user and sends a SAML request to the IdP.

   Users of IdPs are identified by either providing a parameter in the URL for TT resources or by registering a single email domain for a particular IdP. For example, if users with "name@abc.com" need access to trading resources, then TT register's "abc.com" as the domain for that IdP. Users who attempt to log in to TT with "abc.com" are then redirected to the "abc" IdP.

   If there’s no standard domain for users, TT allows setting an IdP identifier in the URL to TT resources that will automatically redirect the user to the IdP for login.

3. Upon successful login, the IdP responds with a similar SAML response. Request and response are signed with the certificates. TT never sees an IdP user’s password.

   TT requires that the incoming SAML responses have four attributes attached: firstname, lastname, email and NameID (a standard SAML string uniquely representing the user to the IdP).

4. TT verifies the response and redirects the user to the requested resource (e.g., Trade application).