SAML — Security Assertion Markup Language
An open standard that allows identity providers (IdP) to pass authorization credentials using XML data format to service providers (SP)
TABLE OF CONTENTS
- What is Single Sign-on (SSO)
- What is SAML
- Basics Of SAML
- SAML Single Sign-on (SSO)
- How SAML Authentication Works | SAML SSO Flow
- Benefits of SAML SSO
- About miniOrange
What is Single Sign-On (SSO)?
Single Sign-On (SSO) is an authentication process that enables users to securely authenticate with multiple applications and websites by using just one set of credentials.
Single sign-on (SSO) in the enterprise refers to the ability for employees to log in just one time with one set of credentials to get access to all corporate apps, websites, and data for which they have permission. SSO implemented successfully, is often great for productivity, monitoring, management, and security control, reducing the risk of lost, weak, or forgotten passwords.
What is SAML?
SAML — Security Assertion Markup Language, it is an XML standard that allows secure web domains to exchange user authentication and authorization data , It is an authentication process in which a user is provided access to multiple applications and/or websites by using only a single set of login credentials.
SAML service provider (SP) can contact a separate identity provider (IdP) to authenticate users who are trying to access secure content. SAML authentication protocol is popular for browser-based enterprise applications. It uses XML data format to transfer messages between applications. This XML document is digitally signed and / or encrypted by the identity provider (IdP) and shared with the Service provider during the user authentication process.
Basics Of SAML :
- SAML Service Provider (SP): A SAML service provider (SP) is a system entity that receives and accepts authentication assertions in conjunction with a Single Sign-On (SSO) profile of SAML.
- SAML Identity Provider (IdP) : A SAML identity provider (IdP) is a system entity that issues authentication assertions in conjunction with a Single Sign-On (SSO) profile of the SAML. An identity provider (IdP) stores and confirms user identity, typically through a login process. While authenticating the user through the login process, it verifies the identity of a user attempting to gain access to a network or computing resource by authorizing a human-to-machine transfer of credentials during interactions on a network to confirm a user’s authenticity. The identity provider(IdP) performs the authentication and sends that data to the service provider (SP) along with the user’s access rights for the service.
- SAML Request: A SAML Request, also referred to as an authentication request, is generated by the Service Provider (SP) to “request” an authentication.
- SAML Response : SAML Response is generated by the Identity Provider (IdP). It contains the actual SAML assertion of the authenticated user(SAML assertion is the message that tells a SP that a user is signed in, it contains all the information necessary for a service provider (SP) to confirm user identity). In addition, a SAML Response may contain additional information, such as user profile information, group/role information, etc.
SAML Single Sign-On (SSO)
SAML Single Sign-On (SSO) is an authentication process in which a user is provided access to multiple applications and/or websites by using only a single set of login credentials (such as username and password). This prevents the need for the user to login separately into the different applications.
The user credentials and other identity information is stored and managed by a centralized system called Identity Provider (IdP). The identity provider (IdP) is a trusted system which provides access to other websites and applications
How SAML Authentication Works | SAML SSO Flow
SAML single sign-on authentication typically involves a service provider (SP) and an identity provider (IdP). The process flow usually involves the trust establishment and authentication flow stages. SAML uses secure tokens which are digitally signed and encrypted messages with authentication and authorization data. This is done through an exchange of digitally signed XML documents.
Consider the following scenario: A user is logged into a system that acts as an identity provider (IdP). The user wants to log in to a remote application, such as a support or accounting application (the service provider). The following happens:
1. The user requests a resource from their desired application/website (Service Provider)
2. To authenticate the user, Service Provider (SP) constructs a SAML Authentication Request, signs and optionally encrypts it, and sends it directly to the identity provider (IdP).
3. The identity provider (IdP) verifies the SAML request to check the signature and the issuer.
4. Identity provider (IdP) then authenticates the user.
5. The Identity Provider (IdP) sends the SAML response in the XML format ( signed or encrypted ) to the service provider (SP) which contains the user authorization.
6. Service Provider (SP) authenticates the user and responds to the user with requested resources.
Benefits of SAML SSO:
- SAML Single Sign-On (SSO): SAML provides fastest & efficient access to multiple applications through assertion which helps to connect SAML support Service Provider (SP) to Identity Provider (IdP). SAML provides a better user experience through assertion which communicates between the Service Provider (SP) & the Identity Server (IdP).
- Increased Security — SAML authentication eliminates the passwords & provides authentication through digital signature. SAML also uses the Public Key Infrastructure (PKI) to protect identities from attacks. SAML provides a single point of authentication, which happens at a secure identity provider (IdP). SAML uses secure tokens which are digitally signed and encrypted messages with authentication and authorization data. This form of authentication ensures that credentials are only sent to the identity provider (IdP) directly.
- Reduce Password recovery time:
SAML SSO will eliminate password issues such as reset and recovery, which will reduce the time to recover old passwords.
- Reduced costs for the service provider:
With SAML you don’t have to maintain an account for multiple services. The identity provider (IdP) will burden this.
- Improved User experience:
Without any authentication, a user can access multiple service providers by signing in just once which allows a faster and better experience at each service provider.
- Standardization: SAML interoperates with any system independent of implementation because of its standardized format.
- Loose Coupling of Directories:
SAML does not require maintaining and synchronizing user information between directories.
miniOrange provides perfect solutions to perform SAML Single Sign-On (SSO) for various applications. If you have your users in SAML IdP and wondering if you can perform SSO!
miniOrange could be your one-stop destination!
miniOrange SSO provides Single Sign-On to any type of device or application, whether they are in the cloud or on-premise. The company aims to give organizations the ability to securely manage access to all of their web-based applications in one place.
miniOrange simpliﬁes identity management through secure, one-click access, for employees, customers and partners, through all device types, to all enterprise cloud and on-premise applications.
A few resources on how to implement SAML in various different environments: