Last updated on January 7, 2026
MFA for SAML is a secure type of authentication that enables Multi-Factor Authentication for your users in a Single Sign-On (SSO) infrastructure. It is important to note that MFA for SAML does not add MFA to SAML itself because SAML is not an authentication protocol. Instead, SAML MFA adds MFA for Active Directory, LDAP, or RADIUS users and strengthens these users’ SSO logins with secondary authentication such as Mobile Push or FIDO.
What is SAML?
Security Assertion Markup Language (SAML) is an open standard XML-based markup language that allows exchanging of authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). The Identity Provider is a SAML authority that performs authentication and passes the user’s identity and authorization level to the Service Provider. The Service Provider must trust the Identity Provider as it authorizes the user to access a resource.
MFA for SAML and Single Sign-On (SSO)
You can use SAML to enable Single Sign-On (SSO) for cloud applications. Briefly speaking, SSO requires you to enter your login and password only once and then access any cloud application you want without re-entering your login credentials. Single Sign-On delivers a streamlined user experience because users do not waste time entering their passwords multiple times a day. Also, SSO allows for centralized identity management (IAM) for cloud apps because users can use the same set of credentials for all applications. Administrators save time because they do not have to configure security policies for every cloud app separately. All in all, Single Sign-On makes everybody’s life easier.
How to Make Single Sign-On (SSO) More Secure?
You can add Multi-Factor Authentication (MFA) to your Single Sign-On (SSO) logins to improve the security of your user logins. An extra layer of protection in the form of a Mobile Push notification or a Mobile Passcode based on the TOTP algorithm can drastically reduce the likelihood of a successful cyberattack.
In standard SSO, users provide their password once and never enter the password again, as long as their SAML session is still active.
With MFA on, the user provides their password and accepts the Mobile Push authentication request to get access. Then, they do not have to provide their password. However, every time they log in to another cloud app, they have to accept the Mobile Push request again. Mobile Push is a comfortable and fast one-tap authentication method. Your users will hardly see the difference, but they will be much more secure.
How Does SAML MFA Work With SSO?
To enable MFA on your cloud apps, you need to deploy the Rublon Access Gateway as an IIS server. Users sign in to the Rublon SSO Portal and then select the cloud app from the gallery of available applications. The SSO Portal is a part of the Rublon Access Gateway and needs additional (albeit short and easy) configuration.
With Rublon MFA enabled, the Rublon Access Gateway only uses the SAML protocol to communicate with Service Providers (cloud applications).
Rublon Access Gateway does not use SAML to communicate with Identity Providers (user databases). To speak with an Identity Provider, Rublon Access Gateway uses either the RADIUS protocol (if you store your users in, e.g., FreeRADIUS) or the LDAP protocol (if you store your users in, e.g., Active Directory).