What is SAML authentication ❓ How does it work ❓

Enterprises using various business apps have a tough time maintaining data’s secrecy and access grants as per user roles throughout the infrastructure landscape. SAML (Security Assertion Markup Language) shows up as a great aid at this front.

Let’s see what is it, how it works, what are its advantages, how it differs from SSO, what makes it similar to SSO, and how it helps in API access verification to ensure an astonishing security level.

SAML — A Quick Overview

SAML’s main work is to permit IdP (the identity details providers) to share the authentication-concerned credential with the concerned authority. It is the open standard that allows granting unified access for all kinds of apps while making no compromise on data security.

A few more things you must know about SAML are:

  • It brings XML into action for completing the customary connection between IdPs and service-givers to communicate reliably.
  • SAML authentication process confirms the end-user’s identity while SAML authorization defines which all resources should be in user’s access.
  • It checks for SPs, IdPs, and end-users if the user is eligible for what it is demanding.
  • It’s an OASIS standard.
  • It ensures safe exchange of information.
  • It supports SSO activation. However, this procedure will require connecting to an external IdP and sharing the XML tokens with it.

A Quick Glimpse of Single Sign-on (SSO)

Considered among the topmost viable authentication frameworks, SSO merges multiple sign-in screens. This implies, you won’t have to sign-in independently for your app(s). Instead, 1 set of sign-in data for your accounts will work fine for diverse SaaS apps.

By doing so, it makes accessing the app faster, simpler, and auditable. It’s a key aspect of IAM strategies of businesses seeking frictionless app access validation and better security implementations.

With SSO enabled, one can enjoy:

  • Strong passwords, as there is no need to create multiple passwords sharing similarities. One tough and complex password is enough for everyone.
  • Users do not have to memorize various passwords.
  • Easy MFA deployment that verifies multiple factors, as its activation at 1 point will secure various applications.
  • Quick password re-entry policy enforcement, as administrators have a single point where the policy should be enforced.
  • Seamless internal credential management because the SSO stores user passwords internally and grants the IT team more control over the database.
  • Instant recovery of user password as the IT team has to work on recovering one password.

SAML Authentication — The Step-by-Step Process

Let us tell you the whole procedure in a few steps.

  1. First of all, the identiy service hands over the user login related input to the SP. For the seamless of SAML parameters to the SPs, every end-user is bound to login via SSO once.
  2. Next, the SP contacts IdPs, asking about the credibility of a request. This process requires giving consent for SAML SSO configuration too. Doing so ensures that the same SAML settings are used for checking the identity and authorizing the user/request.

Benefits

  1. Being a standard format, it grants an open approach to businesses that is free from platform compatibility and vendor implementations.
  2. It uses directories in a loose coupling manner, that implies there is no need to store or sync user data to local directories.
  3. As it supports SSO, end-users are going to have great experience in accessing applications.
  4. SAML lets businesses reuse integrations for registration/sign-in while maintaining the same level of security. It trims the account management cost.
  5. The burden of maintaining the user identities is shifted to the IdP when SAML is at work. This frees service-givers from registration and sign-in related hassles.

What is SAML Assertion?

In simple terms, it is an XML-formatted document that comprises the user authorization status information. This detail is offered by an IdP to a service-giver.

Its 3 typesos assertions are:

Authentication is all about the validation of user’s credibility, related technique, and session duration tracking details.

Assigned takes care of successfully passing SAML tokens to the SP. IdP as well as SP directory use the same attributes to confirm the trustworthiness of request-creator.

Finally, assertion of Authorization-decision type explains where or not the user is given access as per his request. Detailed reason behind denied access is also offered if it happens.

SAML Example

The simplest example of how SAML processes its operations is given below:

Let’s consider an end-user, named John, who tries to access a business application for official purposes.

  • John will begin a session with SSO and complete the identity verification part of the procedure.
  • Zoho CRM will request the IdP to share the user details for confirmation.
  • The SaaS tool will access the fetched results to complete the authority verification step.
  • IdP will revert to this request in SAML format. It will feature the digital signatures of John. Based upon the similarities between the identification details provided by John and the IdP, the revert message may feature other details as well.
  • SaaS tool receives the response and grants or denies access, as instructed by the IdP.
  • If access is permitted John is allowed to use his Zoho account.

SAML vs SSO

SAML helps in user identity verification and in making SSO possible. SSO can exist alone and allows end-users to use various applications with unified login details. SSO can bring the standard SAML protocols into action while performing information trading as it has no specific protocols of its own. Additionally, it can use third-party protocols like OpenID for effective cross-domain user identity check. SAML offers a wide range of protocols.

SAML vs oAuth2

Owing to similarities between key purposes, SAML 2.0 and oAuth 2.0 are often considered the same. While they both share great similarities, they differ from each other in various aspects.

Similarities

  • Both are required to promote secure application interoperability.
  • Both support easy access management and fast integration.

Differences

  • oAuth 2.0 pays attention to authorization while SAML prioritizes authentication
  • SAML is XML based while oAuth 2.0 is utilizes JSON
  • SAML maintains session data through cookies while API calls are used in the case of oAuth for this.

API authentication with SAML

While the most common use of SAML is supporting user identity verification and enabling SSO, it can be proved highly fruitful for request’s genuinity checking in APIs. User access right verification, to check if the request is genuine, is crucial from the API security front and can be achieved by sending a SAML request that must comprise:

  • SAML prepare authentication API based API auth request
  • SAML message that can support the SSO process auto-initiated by IdP

By all means, it’s crucial for a SAML request message to be based on an encoded XML document featuring <Response> root element.

The request’s body must feature content, ids, and realm. The first two aspects are essentials while the last one is optional.

The SAML response includes access_token (a SAML token granting or denying the access), username, expires_in, refresh_token, and realm.

The Final Word

SAML and Single Sign-On have a close relationship with each other. These are vital for zero-compromise data security. Hope this article helps you learn about these two efficiently.

Originally published at https://www.wallarm.com.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ivan Novikov

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.