Notably, SAML enables identity providers to pass authorization and authentication credentials to web applications or service providers. It gives the authentication or authorization information between different parties in a predetermined format. Consequently, it makes single sign-on or SSO technology a breeze with a user providing the authentication once and then communicating the authentication to several applications, services, or websites.
The most current SAML version is SAML 2.0, approved by the OASIS Consortium in 2005. It is very different from version 1.1, which was its predecessor. Its adoption allows IT shops and professionals to use the software as a service or SaaS solutions without compromising federated identity management systems.
This article is your introductory tutorial to SAML. It discusses SAML SSO, how SAML works, the components of SAML protocol, the advantages of using SAML, and the SAML assertion.
An Introduction to How SAML Works
SAML is a universally accepted open standard used for authentication and authorization. It remarkably simplifies authentication, particularly in cases where a user needs to use or access several independent web services or applications across domains.
It relies on the Extensible Markup Language (XML) format to transfer authentication information between an identity provider (IdP) and a service provider (SP). And as it is always the norm in any typical authentication process, SAML has three components.
The three components include:
- A user/subject/ principal. This is usually a human user trying to access a service or a cloud-hosted application, such as a website.
- Identity provider (IdP). This cloud software stores and validates user identity or credentials via a login process. The work or an IdP is to validate that they know the person and the person has the authorization to do what they are attempting to do.
- Service provider (SP). This subject intends to access and use a cloud-based application or service. Notable service providers in SAML include cloud storage services, communication apps, and cloud email platforms.
Whenever a user requests to access a service provider, the service provider will request authentication from the SAML identity provider. The IdP will, in turn, check the user credentials and send the SAML assertion to the SP that made the request. Finally, the SP will send a response to the user.
The SAML framework works by exchanging user information like identifiers, logins, and authentication states between the IdP and an SP.
While single sign-on was possible even before SAML with the help of cookies, it was impossible to achieve that across domains. SAML makes single sign-on possible across domains. With SAML, users do not need to memorize or save passwords.
What Are SAML Assertions?
The SAML assertion is the message informing the service provider that a user is authorized to sign in to the application or service. These assertions contain details necessary to report the user’s identity to the SP. It will detail the time of assertion issuance, source of the assertion, and other relevant validity details.
The three primary types of assertions include:
- Authentication assertions. This category proves the identification of users. It provides an array of login information, including time logged in and the login mechanism used.
- Attribution assertions. These assertions pass SAML attributes to SPs. Attributes are specific data with the information about the user.
- Authorization decision assertions. This category communicates whether the user has the authorization to use the application or not. The information can either approve or deny logging in the user.
Benefits of SAML
Of course, SAML is popular based on its several benefits. The following are some of its main merits:
- Improved Security
SAML remarkably improves security as a single-authentication point for all programs. SAML uses secure identity providers to improve safety. The authentication mechanism only ensures that user credentials go directly to the IdP.
- Amazing User Experience
The fact that users can only sign in once to access several service providers is an incredible feat. It enables a faster and stress-free authentication process since the user neither has to remember nor key in credentials for each application they intend to use.
- Low Maintenance Costs
Again, service providers will benefit from low maintenance costs. The identity provider bears the cost of maintaining account information across all the applications and services.
- Loose Directory Coupling
The SAML framework does not require the demanding maintenance of user information. Moreover, it does not require synchronization between directories.
This article discussed a brief introduction to SAML. We have tackled how the technology works, its benefits, and the various types of assertions. Hopefully, you now know what SASL does and whether it is a good tool for your organization or not.