FREQUENTLY ASKED QUESTIONS
What is the ElasticSSO Cloud Proxy Service (ESSOCP)?
ElasticSSO Cloud Proxy Service (ESSOCP) is a managed, AWS-Cloud-hosted, SAML Proxy Service. The service is managed by the world-class AWS-Cloud and SSO experts at 9STAR. The Service is hosted in any AWS-region worldwide based on customer’s use case and choice. ESSOCP service acts as a SAML (SSL/HTTPS) proxy between the SAML Identity Provider (IdP) servers and the SAML Service Provider (SP) SaaS servers.
As a SaaS vendor, you can leverage the power of ESSOCP service by off-loading all ongoing SAML related setup and management complexities to the ESSOCP service which is fully-managed by 9STAR. This way, all SAML IdP client-integrations can be off-loaded to the ESSOCP service without impacting the SaaS vendor’s IT operations.
We are a SaaS vendor and already have SAML SP enabled in our SaaS environment for SSO authentication. Can I still use the ESSOCP service offering from 9STAR?
Yes. In fact, a number of our SaaS customers have the same use-case. We setup a personalized (with your own domain name) ESSOCP service cloud instance and migrate your existing SAML SP configurations to the ESSOCP service. Your existing SAML SP instance will still remain in place. your existing SAML SP is integrated one-time (at the outset) with the ESSOCP service (which acts an IDP for your SP).
Each of your SAML IdP-clients simply make a one-time change to their IdP configurations and point their IdP to the ESSOCP instance instead (which acts as an SP to them) – our expert SAML team takes care of all coordination with your IT team as well as your client’s SAML-IdP team. While these one-time changes are taking place, there is no disruption to your end-users as they will continue to use your existing SaaS App as before. Once the SAML changes are implemented, end-users will not see any difference in their U/X, they will simply continue to visit and use your SaaS service as they had in the past. The changes to SAML metadata happen in the background – the new SAML metadata will simply replace the old SAML metadata.
All future new/additional SAML IdP-clients are integrated only with the ESSOCP service, and not with the SaaS App environment. The SaaS App however still gets full access to all user authentication and attribute information over SSL/HTTPS.
We are a SaaS vendor and need to support SSO authentication in our SaaS environment. Can I use the ESSOCP service offering from 9STAR?
Yes. This service is perfect for any SaaS vendor who wants to offload day-to-day management of SAML complexities without sacrificing any user authentication information.
We setup a personalized (with your own domain name) ESSOCP service instance for you which then acts as a SAML IdP for your SaaS App environment, and acts as a SAML SP for your client’s SAML IdP. You will need to setup a SAML SP instance (Shibboleth open source is a good candidate for this, and there is no license fee) in your SaaS App environment.
Any new SAML IdP-clients are simply integrated with the ESSOCP service, and not with your SaaS App environment. The SaaS App however still gets full access to all user authentication and attribute information over SSL/HTTPS. This minimizes any SAML related IT disruption for your team.
Does the ESSOCP Service store any end-user data or PII?
No. It is a secure pass-through service. The ESSOCP Service is an SSL/HTTPS based secure SAML proxy service and does not cache or store any end-user data. It does not have any access to end-user data or PII. It only needs SAML IDP metadata (which is public information) of your client’s SAML IDP endpoint to function.
Does ESSOCP Service provide any Admin Level Access to Customers (SaaS vendor)?
No. Each ESSOCP AWS-Cloud-hosted instance is a highly secure and protected environment that is customized to each customer’s SAML proxy needs. We follow all industry best practices and systems (such as firewalls, IP filters, load-balancers, intrusion systems, …..) for securing the ESSOCP cloud environment. Therefore, each such cloud environment is only accessible to 9STAR’s technical experts. As a Customer, you are welcome to request any changes to your ESSOCP environment by simply contacting your assigned technical lead at 9STAR.
How long does it take to provision an ESSOCP instance for use?
We can setup a new ESSOCP Service that includes a Development as well as a Production cloud instance within one business day. You may, however, want to allocate additional time for customizing the instance based on your requirements and use-case. If needed, your assigned technical lead at 9STAR will be able to provide you with the necessary additional guidance in this matter.
Is the ESSOCP Service SLA-driven?
Yes. At 9STAR, we pride ourselves in providing quality enterprise-grade services that combine People, Systems and Processes. The ESSOCP service is 24X7 SLA-driven and you are welcome to review the SLA anytime at
Do our SAML IDP customers need a contract with 9STAR for the use of the ESSOCP Service?
No. Once we have a contract with you, and your ESSOCP Service is fully-configured, and up-and-running, then you can on-board all of your clients with their SAML-IdP, anytime. Your customers are not required to sign any contracts with us or pay us any fee.
How much does it cost to use the ESSOCP Service?
We provide a customized cloud service based on your use-case and requirements. So please contact your account executive directly or contact firstname.lastname@example.org for pricing information.
We are all setup with the ESSOCP Service, how do I proceed to onboard new customers for SAML SSO based access to our SaaS site?
We have made the process quite simple. Once you have a new SAML IDP customer, then feel free to refer them to your assigned technical lead at 9STAR. The 9STAR technical lead will then follow-up with all the SAML technical details for configuring your client’s SAML IDP via email. During this process, your team will always be kept in the loop and in sync. Once your client confirms the configurations at their endpoint, your SaaS team will then be able to test and access all user attributes and authentication information. Your IT team will not need to do any SAML configurations in your SaaS environment.