What is SAML SSO?
Security assertion markup language (SAML) is an XML based protocol used for communicating user authentication, entitlements and attribute information. SAML enables web browser single sign-on through exchange of an assertion between an identity provider and a service provider.
Why is SAML Used?
Before protocols like SAML existed, authentication to web-services (SaaS and on-premises) was simple. Each web-service has its own database of usernames and passwords for every user that is authorized access to the application. When users attempt to access the web-service, they submit their username and password which is validated against the user database. If the username and password submitted match what is in the user database, access is granted. This approach may work for a single web-service but challenges appear when there are more web-services.
In short, SAML may be used for a variety of reasons including but not limited to:
- Organizations use hundreds of web-services. IT is inundated with multiple user databases to manage.
- If web-services are managed by third party service providers (e.g. SaaS), IT has no visibility or control over user databases or identities in the cloud.
- Users always need to enter a username and password to login to every web-service they have access to.
Users always need to enter a username and password each time they access a single web-service.
- Assertion – XML passed between the SP and IdP.
- Assertion Consumer Services (ACS) – Target resource within the SP where the IdP sends the SAML response assertion to.
- Attribute – Unique information about a user that is passed within an assertion.
- Identity Provider (IdP) – Trusted entity providing authentication services to the SP on behalf of the user principal.
- Issuer (Entity Id) – A unique string that must match in both the IdP and SP.
- SAML Request – An assertion that the SP passes to the IdP to request a user to be authentication.
- SAML Response – An assertion that the IdP passes to the SP for an authenticated user.
- Service Provider (SP) – The web application that the user wants to access.
How SAML SSO works
SAML works with the involvement of three participants during an exchange of a SAML assertion: (1) a user principal, (2) an identity provider, and (3) a service provider.
- A user principal requests access to a target resource. The user principal provides the service provider with a unique attribute such as an email address for their username.
- Based on the attribute provided, the service provider knows what identity provider to send a SAML request assertion to. The user principal is re-directed to the identity provider for authentication.
- The identity provider validates the user principal. If valid, the identity provider generates a SAML response assertion and issues to the service provider.
- The service provider grants the user principal access to the target resource.
A trust relationship between the identity provider and service provider is established using digital certificates. Specifically, an X.509 certificate and its private key are installed on the identity provider. The identity provider’s certificate is shared with the service provider to establish a trust relationship between each other. During an exchange, the identity provider generates a SAML assertion, signs the assertion with the identity provider’s certificate and private key combination. The assertion is received by the service provider who can decrypt the assertion using the certificate and public key combination. The ability to decrypt the SAML assertion assures the service provider that the assertion came from a trusted identity provider and the message has not been tampered with.
Benefits of SAML
SAML enables secure authentication to various web-services without the need of application-specific passwords. Using digital certificates and Public Key Infrastructure (PKI), SAML eliminates the possibility of password theft and reuse, thereby increasing security. SAML allows Centrify, an external identity provider, to protect identity rather than having the service provider manage identity and making authentication decisions. End users benefit with single sign-on to multiple web-services while IT benefits with password-less authentication, multi-factor authentication mechanisms and centralized identity management. Learn how Centrify Application Services uses SAML SSO.