What is SAML and what’s it used for?
The Security Assertion Markup Language (SAML) is an open normal that permits safety credentials to be shared by a number of computer systems throughout a community. It describes a framework that permits one laptop to carry out some safety capabilities on behalf of a number of different computer systems.
Strictly talking, SAML refers back to the XML variant language used to encode all this info, however the time period may cowl varied protocol messages and profiles that make up a part of the usual. Because SAML is an open normal, it could actually coordinate safety measure for various purposes and programs from totally different distributors. As a outcome, many safety distributors use SAML as the idea for his or her industrial choices to make sure interoperability.
SAML 2.0 was launched in 2005 and stays the present model of the usual. The earlier model, 1.1, is now largely deprecated. (SAMLDiffs has a nice abstract of the distinction between the variations.)
What is single sign-on?
While SAML was designed with a variety of use instances in thoughts, by far the most typical one in observe is single signal on (SSO). SSO, because the identify implies, permits a person to log in as soon as and entry a number of providers—web sites, cloud or SaaS apps, file shares, and so forth. In an SSO state of affairs, all these providers outsource their authentication and authorization performance to a single system that then sends identity details about the person to these providers.
Documents written in SAML are a method that single sign-on info could be transmitted. SAML’s open nature and interoperability make it a very enticing candidate for this position, since prospects usually need a single sign-on answer that may join purposes from a number of distributors.
Authentication vs. authorization
Before we transfer on, we have to focus on two totally different roles that SAML can play in an SSO system:
- Authentication: Determining that the customers are who they declare to be
- Authorization: Determining if customers have the precise to entry sure programs or content material
Obviously any SSO platform must play each of those roles in an effort to do its job. One focal point is that SAML does not even have for use for each. For occasion, Microsoft has an SSO implementation that makes use of SAML for authentication however OAuth (one other open normal that we’ll focus on in additional element later on this article) for authorization.
What is a SAML supplier?
In SAML lingo, a supplier is an entity—usually, a server or different laptop—inside a system that helps the person entry the providers she or he desires, and that produce or devour SAML providers. Generally talking, the precise packages you wish to get entry to, like SaaS purposes or protected file servers, are known as service suppliers, whereas identity suppliers ensure the person actually is who they declare to be or have the precise to entry the programs they’re making an attempt to entry—it gives authentication or authorization, in different phrases.
An essential factor to bear in mind right here is that the SAML normal itself doesn’t outline how these suppliers do their jobs; as a substitute, it establishes what info they should talk to at least one one other and the way that communication and its stream are structured.
What is a SAML assertion?
A SAML assertion is the XML doc by which all the knowledge we have been discussing is transmitted from one laptop to a different. Once an identity supplier has decided that you’re who you say you might be and have the precise to entry the content material or providers you are involved in, it sends a SAML assertion to the server that really can really present these providers to you. A SAML assertion could also be encrypted for elevated safety.
For extra on all these phrases, take a look at the official SAML glossary from OASIS.
How does SAML authentication work? A SAML stream instance
This all might sound sort of summary, so this is a high-level instance of how a SAML authentication transaction would play out. A graphical illustration is offered in Figure 1. The person agent would usually be an online browser.
Figure 1. A SAML authentication sequence
Imagine you are the person in an surroundings with single sign-on and also you’re making an attempt to get entry to some useful resource on a server. The sequence of occasions goes like this:
- You attempt to entry the useful resource on the server. The service supplier checks to see for those who’re already authenticated inside the system. If you might be, you skip to step 7; for those who’re not, the service supplier begins the authentication course of.
- The service supplier determines the suitable identity supplier for you and redirects you to that supplier—on this case, the one sign-on service.
- Your browser sends an authentication request to the SSO service; the service then identifies you.
- The SSO service returns an XHTML doc, which incorporates the authentication info wanted by the service supplier in a SAMLResponse parameter.
- The SAMLResponse parameter is handed on to the service supplier.
- The service supplier processes this response and creates a safety context for you—principally, it logs you in—after which tells you the place your requested useful resource is.
- With this info, now you can request the useful resource you are involved in.
- The useful resource is lastly returned to you!
If you need a nearer take a look at the center of the messages being handed backwards and forwards in a SAML transaction, take a look at the examples right here from OneLogin. You can dig into the complete XML code for the sorts of assertions being handed from the identity supplier to the service supplier within the state of affairs outlined above.
You’ll discover that a number of that is fairly excessive stage: for example, there isn’t any rationalization of how SAML is aware of what the suitable identity supplier is or how the identity supplier determines that you simply’re who you say you might be. That’s not simply us leaving issues out: as we touched on above, the SAML normal does not outline how these items occur, leaving distributors and implementors a lot of leeway on the way to set issues up. Multiple applied sciences can be utilized for the precise authentication piece, and the applied sciences you select will dictate the small print of the way you implement SAML in your surroundings. But it doesn’t matter what alternative you make, SAML assertions will carry authentication and authorization data from one supplier to a different.
Benefits of SAML authentication
The most essential good thing about SAML as a basis for an SSO answer is that it’s an open normal. As we have seen, that implies that it may be carried out by all kinds of IAM distributors and built-in into all-encompassing programs like Salesforce. It additionally implies that suppliers from totally different distributors can talk with each other so long as they adhere to the SAML normal.
Because SAML is an XML dialect, it is also very versatile. All sorts of data could be transmitted in a SAML doc, as long as it may be rendered in XML.
SAML vs. OAuth: What’s the distinction?
OAuth is a considerably newer normal than SAML, developed collectively by Google and Twitter starting in 2006. It was developed partially to compensate for SAML’s deficiencies on cell platforms and relies on JSON quite than XML.
Other than SAML’s less-than-stellar cell help, what is the distinction between the 2? As we have seen, the SAML normal defines how suppliers can supply each authentication and authorization providers. OAuth, then again, solely offers with authorization. OpenID Connect is a fair newer normal, developed in 2014, that gives authentication providers and is layered on high of OAuth.
Another main distinction between SAML and OAuth is their use instances. While SAML theoretically was designed to be used on the open web, in observe it is most frequently deployed inside enterprise networks for single sign-on. OAuth, against this, was designed by Google and Twitter for web scale.
SAML is an open normal, and so anybody can create a industrial or open-source implementation that gives authentication providers according to it. In normal, this performance is constructed into an identity and entry administration (IAM) product, though that IAM performance might in flip be bundled right into a extra all-encompassing system or infrastructure platform. Current suppliers embody:
SAML tutorials: Some good locations to study extra about SAML
Ready to study extra? Here are some nice, in-depth SAML tutorials:
More on SAML and SSO:
Copyright © 2022 IDG Communications, Inc.