What is SAML authentication?
In the present digital world, we are increasingly dependent on online solutions to carry out our day-to-day activities. To carry out these activities, we have to access multiple applications and web-based portals. As the number of systems increased, proper identity management and authentication became increasingly important. Whether you are a programmer, a frustrated end-user, or a manager in charge of securing an application, remembering a set of credentials for accessing multiple systems gets very difficult and there is a high possibility of forgetting those credentials.
To prevent this, organizations have recently started using centralized authentication to access all their internal applications and web-based portals. This central authentication, when configured properly, eliminates the need to remember all the passwords for different systems and provides strong security. Using this, the organization can control all the user data and makes managing and auditing of users easier like never before. Yes, we are talking about the Single Sign-On (SSO) feature.
But this blog post is all about SAML, a web protocol that enables single sign-on (SSO). We will look into what is SAML and how it helps organizations and users by simplifying the authorization and authentication process.
Table of Contents
- What is SSO?
- What is SAML authentication?
- Benefits of SAML authentication
- How does SAML authentication work?
- A real-life example of SAML authentication
What is SSO?
Single Sign-On (SSO) is a type of authentication that allows users to access multiple mobile and web applications using a single username and password. Basically, SSO acts as the main authentication center. When a user logs in to one system, he/she is automatically granted access to all allowed systems.
The whole SSO concept is not something you didn't know before. Most of us experience it on a daily basis. For example, when you log in to one Google account such as Gmail, you are automatically granted authentication to Youtube, Google apps, Adsense and Google Analytics. Similarly, If you log out, you are automatically logged out of all the services.
What is SAML authentication?
SAML or “Security Assertion Markup Language” is one of the most commonly used web protocols that enables single sign-on (SSO). It is used by almost all internet users and organizations on a daily basis. It is a universal protocol that reduces the gap between the local domain and any external application/web service that needs to know the login credentials, thereby eliminating insecure password proliferation. For example, you can think of SAML authentication as an identity card: a simple, open, and standardized way to show who someone is. You don’t have to conduct a series of DNA tests to find someone's identity. All that you have to do is look at their ID card.
Also, one of the major challenges in computing and networking is interoperability; getting different systems with different technical specifications built by different vendors to work in tandem. SAML authentication is an interoperable standard and is widely accepted by various industries, government agencies, and large enterprises for federated identity deployments.
Benefits of SAML authentication
Improved user experience
When there is a need to log in with a username and password for each application separately, it adds friction to the user experience and puts them at a higher risk of being hacked or simply losing their passwords. This tempts the user to keep repeating or use weak passwords or renew them on a regular basis.
SAML allows users to sign in only once to access multiple services. This saves time and makes the authentication process faster and easier as it eliminates the need to remember multiple login credentials for every web and cloud service.
SAML uses a single point of authentication which occurs at a highly secure identity provider. It then transfers the identity credentials to the respective service providers. This form of authentication guarantees that the credentials are sent to the identity provider directly.
Loose coupling of directories
Loose coupling of directories promotes single responsibility and allows greater interoperability. SAML promotes isolation and doesn't need user data to be maintained and synchronized between various directories.
How does SAML authentication work?
A typical SAML authentication process involves three components:
- Subject: This is always a user or an employee who is trying to access a cloud-hosted service.
- Identity provider (IdP): A cloud software service that stores and checks user identity, usually through a login process. Basically, an IdP's job is to say, "I know this individual, and here are the things that they are permitted to do". A SAML system may be in fact discrete from IdP and acts as a representative of IdP.
- Service provider(SDP): A cloud-hosted application or a web service the user wants to use. For example, cloud email platforms like Gmail or Microsoft Outlook, cloud storage services like AWS s3 or Google Drive, and communications apps like Skype or Slack. Normally a user would simply log in to these applications directly. However, in the case of SAML, the user logs in to SAML which gives them the required access instead of logging in directly.
SAML works by moving the user's identity from one spot (IdP) to another (SDP). This is done through exchanging digitally signed XML documents. When a user needs to log in to a remote application such as a bookkeeping application (the service provider), the following happens,
- The user requests access to the remote application using a link on the internet and the application loads while the user has an existing active login session.
- The application identifies the user either through the user’s IP address or application subdomain and diverts the user to the identity provider, requesting authentication.
- The identity provider assembles an authentication response in the form of an XML document. This typically contains the details of the user. It then signs it with an X.509 certificate. Finally, this information is presented to the service provider.
- The service provider, which definitely knows the identity provider has a unique certificate fingerprint. Using that, it retrieves the authentication response from the identity provider and validates it.
- The identity of the user is verified and the user is granted app access.
The diagram below illustrates the SAML authentication workflow when an application triggers SSO.
The bottom line is that the advantages of SAML are abundant. Organizations or end users can securely share user's identity information with ease. SAML can acquire considerably more significance with the emerging cloud computing technologies. It will significantly reduce the chances of getting hacked by eliminating the possibility of shared accounts and stolen passwords.