SAML authentication

Traditionally, enterprise applications operate within a company's network, relying on integration with corporate directories like Microsoft Active Directory for user information and credential validation. As collaboration extends to cloud-based environments, the need for Federated Authentication arises to address the challenges of applications moving beyond a company's domain. SAML addresses this challenge.

SAML, which stands for Security Assertion Markup Language, is an XML-based standard for exchanging authentication and authorization data between parties, in particular, between an identity provider (IdP) and a service provider (SP). SAML enables Single Sign-On (SSO), allowing a user to log in once and gain access to multiple systems without needing to log in again. It is defined by the OASIS Security Services Technical Committee. The current version of SAML is 2.0

Key components of the SAML framework include:?

Assertions:?

SAML assertions are XML statements that contain information about a user, such as their identity, authentication, and attributes. Assertions are typically generated by the identity provider and consumed by the service provider.

Identity Provider (IdP):?

The entity responsible for authenticating users and providing identity information in the form of SAML assertions. The IdP confirms the user's identity to the service provider.

Service Provider (SP):?

The entity that provides services to users based on the authentication and authorization information received from the identity provider. The SP relies on SAML assertions to make access control decisions.

Single Sign-On (SSO):?

SAML enables SSO, allowing users to log in once and access multiple systems without having to log in again. After initial authentication, the IdP sends a SAML assertion to the SP, which trusts the assertion for subsequent user access.

Bindings and Profiles:?

SAML supports different bindings (methods of transporting messages) and profiles (specific use cases and constraints). Common bindings include HTTP POST and HTTP Redirect, while common profiles include Web Browser SSO and Single Logout.

For more in-depth understanding of the SAML please refer to the link below:

https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html?

SAML workflow (2.0):?

• The user opens their browser and navigates to the service provider's web application, which uses an identity provider for authentication.
• The web application responds with a SAML request.
• The browser passes SAML request to the identity provider.
• The identity provider parses the SAML request.
• The identity provider authenticates the user by prompting for a username and password (The identity provider will skip this step if the user is already authenticated)
• The identity provider generates the SAML response and returns it to the user's browser.
• The browser sends the generated SAML response to the service provider's web application which verifies it.
• If the verification succeeds, the web application grants the user access.

Online tools for testing SAML:

There are many online tools available to test and debug SAML implementation. ?For e.g., https://samltool.io/ allows you to decode, inspect and verify SAML messages. While https://samltest.id/ is a SAML 2.0 IdP and SP testing service.?

SAML Use Cases:

SAML enables users to safely and securely access various resources with convenience. By eliminating the need for users to create and manage credentials for each service individually, it can contribute to a reduction in support requests. This popularity is particularly evident among groups regularly tasked with granting access to specific resource sets, given its efficiency in minimizing associated workload.

Enterprise Access:

SAML is commonly utilized by large organizations, offering a means to grant users system access. Through its attributes, users' permissions are controlled, enabling the grouping of users and dynamic adjustments to their access levels.

Single Sign-On between Separate Platforms:

Single sign-on (SSO) is SAML’s most common use, allowing users to authenticate across multiple domains without needing new credentials each time (Federated Authentication). For e.g., a company which uses SAML, can assign credentials to an employee that work with other platforms needed at work, such as Slack or Jira.

Cloud Platforms:

Major cloud platforms frequently enable SAML-based sign-ins, providing user convenience and facilitating straightforward role and permission assignments by administrators. This ensures that team members access the relevant resources, and adjustments to roles can be effortlessly implemented.

In summary, the SAML protocol is widely used for enabling secure and seamless access to applications and services across different domains. It is commonly used in enterprise environments, federated identity scenarios, and web-based applications that require cross-domain authentication and authorization.

It's important to note that SAML is just one of several standards for identity and access management. Other protocols, such as OAuth and OpenID Connect, are also widely used in different contexts. The choice of protocol depends on the specific requirements and use cases of the system or application.