SAML 2.0 authentication
Connect a SAML Identity Provider and protect an existing application without adding SAML support to that application.
Put a SAML Service Provider in front of applications that do not support SAML themselves.
PassBeyond is a SAML Service Provider and authentication reverse proxy. It sits between a public reverse proxy and a backend application. Users authenticate at your Identity Provider (IdP); PassBeyond then validates a signed session cookie and forwards authenticated requests to the application.
The backend receives the authenticated user in headers such as X-Passbeyond-User and mapped attributes in X-Passbeyond-Data-*. It does not need to implement the SAML protocol itself.
Browser → TLS reverse proxy → PassBeyond → Backend application
↕
SAML Identity ProviderAuthorization remains an application concern
PassBeyond authenticates users and supplies identity data. The backend application must still decide which resources each authenticated user is allowed to access.
Follow Getting started to install PassBeyond, register its SAML endpoints, protect a first application, and verify the result. Container users can start with Container deployment.
Before a production rollout, select a supported reverse proxy configuration and application integration, then read the security model, known limitations, and operations runbooks.