What is SAML Authentication?SAML abbreviated for Security Assertion Markup Language is an XML-Based open standard for transferring identity related information between an Identity Provider and Service Provider. It simplifies and centralizes the authentication process, by authenticating a user once and communicating the identity claims to other external applications whenever a user requests access to them.
Why do we Need SAML Authentication?
Service Providers around the world have started focusing on specialized web-based services that will cut costs, focus on user specific applications, and reduce complexity of maintaining and supporting the applications of an organization. Most organizations have started adopting a centralized authentication system for all their internal applications as well as web-based portals. This centralized authentication process enables strong security by preventing users from storing passwords for different systems on a sticky note.
But, as most of the services are from External Service Providers, it would give rise to the sticky note problem and create problems for the external service providers. Users must remember passwords for different services like CRM, Payroll, Travel Agency Software leading to complexity of managing and maintaining user or programmer defined hardcoded SSO code of each of the external service provider in use.
Furthermore, as every user is mandated to set up the applications, a duplicate set of data gets created. Instead, if the organization controls the user data, it will save the service provider time to set up and terminate sessions on a regular basis while having an accurate source of user identity.
Given the set of problems for both organizations and service providers, a standard was needed for exchanging user authentication information to be exchanged over the internet between an Identity Provider and a Service Provider. That is how SAML, an XML based open standard came into picture allowing transmission of custom data to external service provider.
How does SAML Authentication work?SAML is an XML based Framework allowing for authentication and authorisation from Single Sign-On point of view. It has 3 roles involved in a transaction namely an asserting party, a relying party, and a subject. The Asserting Party is the identity provider that provides the user information, a Relying Party is the Service Provider that trusts the Asserting Party and uses the user information to provide him access to the application and the Subject involved in the transaction is the user. SAML 2.0 is the latest revision of this framework. Consider a system that acts as an identity provider and a user who wants to log in to a remote application, such as an accounting or support application (service provider). Here’s what happens:
- The user, using a link on an intranet or a bookmark, accesses the remote application, and the application loads.
- The user’s origin is identified by the application (by user IP address, application subdomain, or similar). The application asks for authentication by redirecting the user back to the identity provider. This is the authentication request.
- The user may already have an active browser session with the identity provider or may establish one by logging in.
- An authentication response containing the user’s username or email address is built by the identity provider in the form of an XML document. It is signed with an X.509 certificate. The identity provider then sends this information to the service provider.
- The service provider, which has a certificate fingerprint and is already familiar with the identity provider, retrieves the response and validates it using the certificate fingerprint.
- The user’s identity is established, and he/she is granted app access.
What are the Benefits of SAML Authentication?
- SAML separates the security framework from platform architectures and specific vendor implementations.
- It does not require user information to be synchronized and maintained between directories.
- Identity federation with SAML promotes privacy while allowing for a customized user experience at each service.
- A single act of authentication across multiple services can reduce the cost of maintaining account information. The identity provider shoulders the burden.