What is SAML?
The SAML specification is an XML-based framework designed for transporting user authentication, entitlement, and attribute information across the web safely and efficiently. It has a number of primary usage scenarios, including but not limited to the following:
Single sign-on/single logout
SAML offers the ability to log in a single time, and gain access to all supporting systems without being prompted for credentials again. Similarly, Single sign-off is the ability to sign out of a single location that causes all other current login sessions to be terminated as well. Single sign on offers at the very least convenience, and for the largest scale organizations it can also mean reducing password fatigue by eliminating the need for many username and password combinations, and improving productivity by reducing the time users spend entering passwords and calling the help desk for password troubles.
Identity federation is useful for integrating access to applications across distinct groups within an enterprise. SAML allows a single set of identification data to be used to obtain access to any network within the enterprise. This offers convenience to users, but also allows the enterprise to share a single application across many networks, rather than purchase additional licenses.
The SAML standard can be defined by the components that make it up. These components can be understood as nested within one another, as shown in the following image. The following are the major building blocks that make up a SAML token:
Assertions – This component contains the authentication, attribute, and entitlement information necessary to confirm identity, detail about the user, and what they are entitled to access. This is essentially a packet of security information containing
Protocols – Used to describe how SAML elements, such as assertions, are packaged within the network requests and responses.
Bindings – Ensures the SAML protocol messages are properly mapped onto existing messaging formats. For example, the SAML SOAP binding defines how a SAML message is packaged within SOAP, which is then encapsulated within an HTTP message for HTTP posting.
Profiles – The profile represents how the protocols, bindings, and assertions combine to support a defined use case.
How does SAML work?
The SAML specification defines three roles that partake in SAML transactions, the principal, which represents the user accessing a protected resource, the Identity Provider (IdP), the entity responsible for issuing identification information, and the Service Provider (SP), the entity the principal seeks to authenticate with and access its resources. There are two ways that SAML authentication may take place, called the IdP initiated scenario, and the SP initiated scenario.
Walkthrough of an SP initiated SAML authentication
1. The principal (user) requests a service from the SP, typically by accessing a protected resource hosted by the SP via a browser.
2. The SP receives the request from the principal, and sends a request to the IdP for an identity assertion.
3. Before the IdP delivers the identity assertion to the SP, it may need to request information from the principal, such as a username and password, so that they are authenticated. If they have previously successfully authenticated, this is not necessary.
4. On the basis of the assertion it receives from the IdP, the SP makes an “access control” decision whether to allow the principal access or deny it.
5. If access is granted, the SP then performs the service requested by the connected principal, such as providing the protected resource.
The IdP initiated scenario is very similar, with the exception that the principal accesses the IdP to begin with, rather than the SP. In this case, authentication with the IdP, as in step 3, is done first and foremost, without a request from the SP, and the steps carry on identically from there.
An additional thing to note, and an aspect of SAML that makes it very powerful is that the specification does not specify the method of authentication to be used. SAML supports all methods of authentication, such as username and password, two or multi-factor authentication, or any others for heightened security.