SAML web-based authentication for Security (Single Sign-On SSO)
SAML stands for Security Assertion Markup language. Generally, users need to enter a username and password to login into any application.
SAML is a technique for achieving Single Sign-On (SSO).
SAML works by exchanging user information, such as logins, authentication state, identifiers, and other relevant attributes between the identity and service provider. As a result, it simplifies and secures the authentication process as the user only needs to log in once with a single set of authentication credentials.
Security Assertion Markup Language (SAML) is an XML-based framework that allows the identity providers to provide the authorization credentials to the service provider.
With SAML, you need to enter one security attribute to log in to the application
SAML is a link between the authentication of the user’s identity and authorization to use a service.
SAML provides a service known as Single Sign-On means that users have to log in once and can use the same credentials to log in to another service provider.
With SAML, both the service provider and identity provider exist separately, but centralize the user management and provide access to the SaaS solutions.
SAML authentication is mainly used for verifying the user’s credentials from the identity provider.
Advantages of SAML:
SAML SSO (SINGLE SIGN-ON): SAML provides security by eliminating passwords for an app and replacing them with security tokens. Since we do not require any passwords for SAML logins, there is no risk of credentials being stolen by unauthorized users. It provides faster, easier, and trusted access to cloud applications.
Open Standard SINGLE SIGN-ON: SAML implementations conform to the open standard. Therefore, it is not restricted to a single identity provider. This open standard allows you to choose the SAML provider.
Strong Security: SAML uses federated identities and secure tokens to make SAML one of the best secure forms for web-based authentication.
The improved online experience for end users: SAML provides SINGLE SIGN-ON (SSO) to authenticate at an identity provider, and the identity provider sends the authentication to the service provider without additional credentials.
Reduced administrative costs for service providers: Using single authentication multiple times for multiple services can reduce the administrative costs for maintaining the account information.
Risk transference: SAML has put the responsibility of handling the identities to the identity provider.
Types of SAML providers
SAML provider is an entity within a system that helps the user to access the services that he or she wants.
There are two types of SAML providers:
- Service provider
- Identity provider
It is an entity within a system that provides the services to the users for which they are authenticated.
The service provider requires authentication from the identity provider that grants access to the user.
Salesforce and other CRM are the common service providers.
An identity provider is an entity within a system that sends the authentication to the service provider about who they are along with the user access rights.
It maintains a directory of the user and provides an authentication mechanism.
Microsoft Active Directory and Azure are the common identity providers.
What is a SAML Assertion?
A SAML Assertion is an XML document that the identity provider sends to the service provider containing user authorization.
SAML Assertion is of three types:
- It proves the identification of the user
- It provides the time at which the user logged in.
- It also determines which method of authentication has been used.
An attribute assertion is used to pass the SAML attributes to the service provider where the attribute contains a piece of data about the user authentication.
An authorization decision determines whether the user is authorized to use the service or identity provider denied the request due to the password failure.
Working of SAML
- If a user tries to access the resource on the server, the service provider checks whether the user is authenticated within the system or not. If you are, you skip to step 7, and if you are not, the service provider starts the authentication process.
- The service provider determines the appropriate identity provider for you and redirects the request to the identity provider.
- An authentication request has been sent to the SSO (SINGLE SIGN-ON) service, and the SSO service identifies you.
- The SSO service returns with an XHTML document, which contains authentic information required by the service provider in a SAMLResponse parameter.
- The SAMLResponse parameter is passed to the Assertion Consumer Service (ACS) at the service provider.
- The service provider processes the request and creates a security context; you are automatically logged in.
- After login, you can request a resource that you want.
👋 Join us today !!
If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇