In the security world, SAML has long played an important role in how security credentials are handled. However, all the acronyms and jargon of security and information technology can often confuse newcomers and non-techies. So, what is SAML? How does it work? Read on to find out.
What SAML Is
Short for security assertion markup language, SAML is an open standard that is used by security systems to pass authorization credentials from an identity provider to a service provider. In other words, you can use SAML to allow users to log into multiple sites, apps or services using a single set of credentials. For many organizations, SAML works as the technical core of single sign-on.
SAML simplifies the process of federating identities and makes authentication easier (and often more secure). Since it is an open standard, it is usually easier to work with compared to a proprietary alternative.
By using SAML, organizations can eliminate the need to have numerous login credentials for different services. Furthermore, the login process can be made more secure because there is only one point that needs to be hardened. It is often harder for a malicious attacker to gain access to any service because the service is not managing its own authentication process.
There are two important providers in the SAML system: the identity provider and the service provider. In most cases, there are multiple service providers and one identity provider. These providers may be different services provided by the same organization (especially if SAML is being used for an internal SSO system).
You can think of the identity provider as being the user database and the service provider as being the functionality that the user wants to use. The user is authenticated with the identity provider. The IP then tells the SP that the user has been authenticated and has certain access rights.
A SAML assertion is data that is sent by the identity provider to the service provider. It is formatted as an XML document and contains all the relevant user authorization data.
There are three assertion types. Authentication assertions indicate that the user has proven his or her identity. Attribute assertions send the user’s attributes from the identity provider. Finally, authorization decision assertions indicate that the user was rejected due to an incorrect password, lack of rights or another authentication issue.
How SAML Works
An authentication system based on SAML is simple. The user logs in once. This may be at a designated single sign-on point or may be a login page for one of the services. However, in either case, the user’s credentials are sent to and authenticated by the identity provider.
Then, whenever the user wants to use a service provider, the SP asks the IP whether the user is authenticated or not. The IP responds accordingly. Every provider in the system is using SAML, making it easy for them to talk fluidly to each other.
For SAML to work, both providers need to have an agreed-upon configuration. In other words, while they will always be speaking the same language due to using SAML, they also need to speak the same dialect (configured to work together) in order to work correctly.
SAML and OAuth
OAuth is another system based on similar principles to SAML. Typically, service providers that are providing functionality to general consumers are more likely to use OAuth because it was developed by Google and Twitter (Facebook also offers it), meaning that existing login credentials can be used easily. However, SAML offers greater control for enterprises that want to create secure SSO logins.
Discover more about how you can use SAML in your organization. It can be a very powerful tool for managing security and authentication requirements. It is most effective when you have the backing of an experienced identity solutions provider.