Authentication and authorization are two processes that play a significant role in any web application. These concepts ensure that only trusted individuals are granted access to the resources of the application. Plus, with all the web applications and services we use regularly, it is increasingly difficult to manage credentials for multiple user accounts.
SAML technology provides a means for securely logging into multiple applications using a single set of credentials.
This article explains what SAML is, how SAML-based authentication works, the key components of SAML, and how it differs from the popular Oauth technology. Finally, we’ll analyze the pros and cons of the SAML technology.
What is SAML?
Security Assertion Markup Language (SAML) is an open standard for transferring authorization information between identity providers (IdPs) and service providers (SPs). This XML-based protocol allows users to use a single set of credentials to access multiple applications. Thus, SAML helps realize single sign-on (SSO) technology, where users can access multiple applications or web services without using separate credentials for each service.
Identity providers play a key role in SAML, and the SAML protocol facilitates a secure exchange of authentication and authorization information between the IdP and the SP. A SAML request typically consists of four major components (which we’ll review shortly):
Thanks to its seamless authentication experience, SAML has become a widely adopted technology in many industries.
The 3 key parties in SAML-based authentication
The SSO authentication process utilizes SAML. This SSO process, involves three entities:
- The principal is the entity that initiates the request to access resources, such as a person attempting to log in to their user account.
- The Identity Provider (IdP) is the entity that verifies the identity of a user, generating SAML assertions that contain identity information during a typical SSO process. IdPs are cloud-based services like Google, Microsoft Azure Active Directory and Okta.
- The Service Provider (SP) is the entity that authorizes the user to access the required resource. In SAML-based SSO, the service provider (SP) is the entity that provides the resources that users want to access. The SP integrates with the IdP to facilitate the SSO process. The SP also builds a trusted relationship with the IdP. Some examples of SP include cloud storage services such as AWS S3, Google Drive, Gmail and Microsoft Office 365.
How SAML-based authentication works
SAML exchanges authentication information and other user attributes between the identity and service providers. The IdP authenticates the user once — and that user does not need to go through the authentication process again. Instead, the user can access other resources or services within the same SAML-based SSO session consistently.
Essentially, SAML enables a seamless Single Sign-On experience for users. Now let’s look in detail at the SAML-based authentication process.
- A user tries to log in to a web application. That request is submitted to the relevant service provider.
- The service provider routes that login request to the related identified provider, generating a SAML request. This SAML request includes the identity information of the user and the service information the user is trying to access.
- The authentication process begins when the user enters login credentials, such as the username and password, through the login page of the IdP. This process involves verifying the credentials against a user directory, performing multi-factor authentication or any other authentication mechanisms implemented by the IdP.
- If the authentication is successful, the IdP generates the SAML response and sends it to the service provider. This response, which is known as a SAML assertion, includes authorization information such as the user's roles, properties and digital signature. SAML assertions can be encrypted for more secure information exchange.
- Finally, the service provider evaluates the SAML response and the digital signature, extracts the authorization information, and lets the user access the requested resources.
Four components within SAML
Now let’s look at the four components that support SAML authentication.
SAML profiles define how other SAML components should be combined to form the SAML request for different contexts or scenarios, specifying the required rules, constraints and configurations. The profile guides how SAML protocols, bindings and other components must be used to achieve the expected behavior in different scenarios.
For example, an SSO profile specifies what bindings are required for successful sign-in. Meanwhile, a single logout profile defines all the necessary behaviors and requirements for a successful system logout.
SAML protocols define the standard format and rules for sharing authentication and authorization data between systems. There are several SAML protocols, including:
- The Single Logout (SLO) protocol allows users to log out of all the accounts using a single action.
- The Single Sign-On (SSO) protocol enables them to log in to multiple accounts with a single login action.
SAML bindings specify how SAML messages are exchanged between IdP and SP, defining transport mechanisms and formats. There are several types of SAML bindings for specific purposes. Among them, HTTP POST and redirect bindings are the most commonly used:
- HTTP Redirect binding enables encoding SAML messages, especially when they are too large, and redirects the user to the destination.
- HTTP POST binding allows encoding SAML messages as HTML form parameters.
A SAML assertion is written in XML (Extensible Markup Language), including the identity information and attributes of the user. Identity information can include usernames, email addresses, roles and other attributes that SPs can use to provide personalization.
SAML assertions play a crucial role in SAML-based SSO by conveying trusted information about the user's identity from the Identity Provider (IdP) to the Service Provider (SP). The SP depends on the assertions to make access control decisions and grant users access to protected resources or services.
There are three types of SAML assertions based on their purpose and the information they share:
- Authentication Assertion asserts that the IdP has authenticated the user.
- Attribute Assertion contains additional attributes about the user's identity and characteristics.
- Authorization Decision Assertion specifies the authorization decision made by the IdP based on the user's attributes.
SAML vs. OAuth: What’s the difference?
Let’s pause here and consider a similar technology: OAuth.
SAML and OAuth are often used interchangeably when it comes to authentication and authorization mechanisms. Although both technologies facilitate SSO, they significantly differ, especially in their main objectives. Compared to SAML, OAuth is a relatively new technology developed by Google and Twitter. We can sum up the key differences like so:
- OAuth uses a similar technology to SAML for sharing login data. SAML uses XML to exchange information, while OAuth uses JSON.
- OAuth specifically handles authorization, while SAML is mainly used for authentication.
- OAuth is more flexible than SAML as it supports many devices, such as web applications, mobile devices and smart TVs. In contrast, SAML lacks that flexibility and only works well with web applications.
What are the advantages of SAML?
SAML offers businesses several advantages when implementing secure authentication and authorization mechanisms for web applications and services.
SAML enhances the security of the authentication and authorization processes by conducting them at a secure identity provider. Plus, SAML assertions can be encrypted to prevent any third-party tampering with the information while exchanging it between service providers.
Consistent user experience
SAML provides a convenient way for users to access multiple service providers using just one identity provider. It eliminates the need for different logins or credentials for each service provider, saving time for users and improving their login experience.
SAML provides different authentication methods, attribute formats and protocols for exchanging attributes. That means organizations can use SAML to customize their authentication and authorization processes according to their needs.
SAML helps organizations reduce costs associated with user authentication in several ways. For example, SSO eliminates the need to manage multiple usernames and passwords for different services, which can be an overhead for the company.
Additionally, user management and the synchronization of credentials across multiple services can be time-consuming and error prone. SAML helps organizations minimize those manual efforts and the unnecessary labor costs associated with them.
SAML can be integrated with various identity management systems and authentication mechanisms. It allows organizations to leverage their existing systems to improve the user experience further.
What are the disadvantages of SAML?
SAML provides several advantages, including a seamless authentication experience for users and many other benefits for businesses. However, there are some disadvantages to consider. Among them:
The complexity of SAML in the authentication process since XML formats can be difficult to comprehend for most developers. In addition, implementing SAML may require significant knowledge and skills in XML parsing and web services.
SAML does not provide adequate support for mobile devices. Because it is primarily designed to support web applications, it is difficult to integrate SAML with mobile-based applications. Besides, the functionality of SAML will be somewhat limited since its main focus is to facilitate SSO for web applications.
SAML is a technology that enables single sign-on to log in to multiple applications. There are three parties involved in SAML-based SSO: the Principles, Identity Provider and Service Provider. SAML comprises different components such as profiles, bindings, protocols and markups.
Although SAML and OAuth are often used interchangeably, the two technologies differ in various aspects, like their main purpose and messaging formats. SAML brings many advantages for authentication and authorization processes, such as providing a consistent user experience, reduced costs, and integration flexibility. It also has several disadvantages, such as the complexity of understanding and implementation, a lack of support for mobile devices, and limited functionality.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.