How does SAML work? IDP’s & SP’s


If you’re doing research on protocols that enable single sign-on (SSO), a typical question is, “How does SAML work?”. SAML, or Security Assertion Markup Language, is a popular SSO protocol and is a valuable standard to understand in order to fully comprehend how SSO works.

SAML is an XML-based, open-standard data format for exchanging authentication and authorization data between an identity provider (like the Gluu Server) and a service provider (like Dropbox, O365, etc.). SAML is a stable and mature standard, and is well supported at many of the Internet’s largest domains. However, the last major release of SAML was in 2005! Therefore it is important to understand when to use SAML and when to use a newer protocol like OpenID Connect to achieve your identity goals.

Refer to these four considerations to determine which protocol to use for single sign-on (SSO):

  • If you have an application that already supports SAML, use SAML.
  • If you need to support user login at an external IDP (like a customer or partner IDP), use SAML.
  • If you have a mobile application, use OpenID Connect.
  • If you are writing a new application, use OpenID Connect.

If your use case aligns with one or both of the first two bullet points above, continue reading! If not, we recommend that you learn more about OpenID Connect.

SAML Overview

SAML enables an organization to share user information with trusted external organizations. An example many might be familiar with is signing into your active directory to log on to your work computer in the morning, and automatically gaining access to your company gmail or salesforce.  

The three main components of the SAML protocol:

  • Assertions – Most common are the following 2 SAML assertions:
    • Authentication assertions are used to make people prove their identities.
    • Attribute assertions are used to generate specific information about the person, for example their phone number or email address.
  • Protocol – This defines the way that SAML asks for and gets assertions, for example, using SOAP over HTTP.
  • Binding – This details exactly how SAML message exchanges are mapped into SOAP exchanges.
 

Benefits of using SAML:

Here are 5 reasons to use SAML for SSO:

  1. User passwords never cross the firewall, since user authentication occurs inside of the firewall and multiple Web application passwords are no longer required.
  2. Web applications with no passwords are virtually impossible to hack, as the user must authenticate against an enterprise-class IDP first, which can include strong authentication mechanisms.
  3. “SP-initiated” SAML SSO provides access to Web apps for users outside of the firewall. If an outside user requests access to a Web application, the SP can automatically redirect the user to an authentication portal located at the Identity Provider. After authenticating, the user is granted access to the application, while their login and password remains locked safely inside the firewall.
  4. Centralized federation provides a single point of Web application access, control and auditing, which has security, risk and compliance benefits.
  5. A properly executed identity federation layer that satisfies all of the use cases described above and supports multiple protocols can provide an enterprise-wide, architecturally sound Internet SSO solution.

For more on the SAML protocol, visit the blog, SAML Protocol Overview.

If you need a SAML IDP, you should deploy the free open source Gluu Server!