As IT continues to shift to the cloud and Software as a Service (SaaS) applications, SAML is becoming a hot topic.
Let’s explore SAML, how it works, its history and benefits, and how you can use it.
What is SAML Security Assertion Markup Language)?
It is an open standard that allows users to access numerous web applications or web services using the same login credentials through identity federation.
It depends on two parties: an Identity Provider (IDP) and a Service Provider (SP). The IDP provides authentication information about the user to the SP. The SP uses this information to provide authorization to the user.
The authentication-authorization pairing allows the user to access the services of the SP.
The primary use case for SAML is to facilitate single sign-on (SSO). Without SAML, users would need a unique username and password for each web application or web service they use.
As organizations continue to adopt an increasing number of SaaS applications, it’s clear that employees would struggle to manage individual credentials for each service securely.
SAML enables web browser single sign-on by allowing users to log into applications/services with a single set of credentials. This centralization not only provides convenience to employees but also improves organizational security, among other benefits.
How & Why is SAML Used For?
SAML uses XML (Extensible Markup Language) to communicate between the identity provider and the service provider.
This takes the form of a SAML assertion, a type of XML document that an identity provider sends to a service provider to authorize a user.
There are three types of SAML assertions:
- Authentication: Prove a user’s identity and provide the time they logged in, as well as the authentication protocol they used (for example, Kerberos, multi-factor authentication).
- Attribution: Pass SAML attributes, the data that provides information about the user, to the service provider.
- Authorization assertions: Confirm whether and how authorized a user is to use a service, or if the identity provider rejected their request due to a password failure or lack of access rights.
In short, SAML works by passing information about users, their logins, and their attributes between an identity provider and a service provider.
When a user signs in using SSO, for example, the IdP will pass the SAML attributes to the SP, ensuring that the user only needs to sign in once.
SAML completely changes the way users sign in to services or websites, and aims to simplify federated authentication and authorization processes for all parties: identity providers, service providers, and end users.
Instead of requiring credentials such as a username and password for each login attempt, SAML can help verify that a user is who they say they are and confirm permission levels to grant or deny access.
In addition, SAML allows identity and service providers to exist separately, helping organizations centralize user management and provide access to various software solutions.
SAML is most often used to enable single sign-on (SSO), which authenticates reputable users between an identity provider and a service provider.
Organizations deploying SAML-configured apps, for example, can allow their employees to use just one set of credentials to log in to a single dashboard that gives them direct access to all their productivity and communication tools.
SAML Benefits and Alternatives
SAML offers many benefits to both users and businesses, not the least of which is reducing the friction of using multiple web applications. Other advantages include:
- Improved user experiences. SAML not only makes it easier to sign in to applications and services, but it also helps users to be more productive because they have easy access to the tools they need to do their jobs.
- Fewer lost credentials. Having to juggle multiple logins often causes people to forget their passwords or, worse yet, write them down, increasing the risk of those credentials being stolen. With SAML, users only need to know a username and password combination.
- Greater security. SAML provides a single point of authentication to a secure identity provider, which then passes the user’s identity information to service providers. This ensures that credentials are only sent directly, minimizing opportunities for phishing or identity theft.
- Reduced costs. The SAML implementation saves a significant amount of administration time by helping to eliminate the need to submit tickets and reset passwords. It also helps keep development costs (often associated with proprietary authentication methods) to a minimum.
- Simplified user management. With employees using multiple applications, it can become a nightmare for IT departments to manage access rights as roles change or when employees leave the company. SAML simplifies this as each user can be collected from a single directory.
While SAML offers some benefits in terms of identity federation, there are alternative standards available that help businesses and services securely manage and approve user identities.
- OpenID: is an open-source identity standard that allows users to access various websites and applications without sharing additional login information. If you’ve ever logged into a website with your Google, YouTube, or Facebook credentials, you’ve experienced OpenID.
- OAuth: this is a standard that was co-developed by Google and Twitter to enable streamlined logins between websites. It’s similar to SAML in the way it shares information between applications (Facebook and Google are two OAuth providers you’ve probably used before). However, it differs in its use of JSON tokens to authenticate users, and as a result, is more appropriate for mobile devices.
- Web Services Federation: is used to federate authentication from service providers to identity providers. It is generally easier for developers to implement and is supported by popular identity providers such as AD, but not so much by cloud providers.