SAML (Security Assertion Markup Language)

An open standard for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider.

Definition: SAML is an open standard for exchanging authentication and authorization data between parties, specifically between an identity provider (IdP) and a service provider (SP). It allows users to access multiple applications with a single set of login credentials.

Key Components of SAML

  1. Identity Provider (IdP): The entity that authenticates the user and provides the SAML assertion to the service provider. Examples include Okta, ADFS, and Google Identity.
  2. Service Provider (SP): The entity that receives the SAML assertion and grants the user access to the requested service or application. Examples include Salesforce, AWS, and Google Apps.
  3. SAML Assertion: An XML document provided by the IdP containing the user authentication status and attributes. There are three types of assertions:
    • Authentication Assertion: Confirms the user’s identity and the method of authentication.
    • Attribute Assertion: Contains specific information about the user, such as their role or permissions.
    • Authorization Decision Assertion: States if the user is authorized to use a specific resource or service.

SAML Workflow

  1. User Requests Access: The user attempts to access a service provider (SP).
  2. SP Redirects to IdP: The SP sends a SAML request to the IdP for authentication.
  3. User Authenticates with IdP: The IdP authenticates the user, typically via login credentials.
  4. IdP Issues SAML Assertion: Upon successful authentication, the IdP generates a SAML assertion containing the user’s authentication and attribute information.
  5. SP Validates SAML Assertion: The SP receives the SAML assertion, validates it, and grants the user access to the requested resource.

Benefits of SAML

  • Single Sign-On (SSO): Users can authenticate once and gain access to multiple applications, reducing the need for multiple logins.
  • Improved Security: Credentials are handled by the IdP, minimizing the exposure of passwords and reducing the risk of phishing.
  • Simplified User Management: Centralized authentication and authorization simplify user management and provisioning.
  • Interoperability: SAML is an open standard, ensuring compatibility across various platforms and systems.

SAML vs. OAuth and OpenID Connect

  • SAML: Primarily used for SSO in web applications, exchanging authentication and authorization data between IdPs and SPs.
  • OAuth: A protocol for authorization, allowing third-party applications to access user resources without exposing credentials.
  • OpenID Connect: An authentication layer built on OAuth 2.0, providing a simpler mechanism for user authentication and SSO.

Example Use Case

A user needs to access a cloud-based CRM system (SP) using their corporate credentials (IdP). With SAML, the user logs in once through the IdP, and the CRM system automatically grants access without requiring a separate login.

Plaintext                                                                                                                            Copy code

  1. User attempts to access the CRM system.
    1. CRM system redirects to the corporate IdP for authentication.
    1. User enters credentials on the IdP login page.
    1. IdP authenticates the user and generates a SAML assertion.
    1. IdP sends the SAML assertion to the CRM system.
    1. CRM system validates the assertion and grants access to the user.

Summary

SAML facilitates secure, seamless authentication and authorization across different services by allowing users to access multiple applications with a single set of credentials. This improves security, simplifies user management, and enhances the user experience.

Course: Networking and Cybersecurity Advanced Learning Series