Gluu Blog

Follow us:
Back to Blog

SAML Protocol Overview

Mike S. June 13, 2012

Because the SAML Protocol…

is so foundational to the software and service Gluu provides, we wanted to lay out the basics of SAML for those interested. The following can be thought of as a basic guide to getting you conversational with the SAML protocol.

What is SAML?

Security Assertion Markup Language, otherwise known as SAML, is an XML-based open standards for exchanging authentication and attributes (claims) between an identity provider and a service provider (website). SAML is a product of the OASIS Security Services Technical Committee and aims to standardize framework for browser based single sign-on (SSO). SAML 1.0 was released in 2002; SAML 2.0 was released in 2006.


How Does SAML Work?

At its core, SAML is a series of XML-based messages that detail whether a person has authenticted, and frequently information about that person. SAML is primarily used for SSO between organizations and websites that are “external” to the organization. However, it can be used just as well for internal SSO applications.

The three main components of the SAML specification are:

Assertions – The two most commonly used SAML assertions:

  1. Authentication assertions are those in which the user has proven his identity.
  2. Attribute assertions contain specific information about the user, such as an email and phone number.

Protocol – This defines the way that SAML asks for and gets assertions, for example, using SOAP over HTTP.

Binding – This details exactly how SAML message exchanges are mapped into SOAP exchanges.

The assertions are exchanged among sites and services using the protocol and binding, and those assertions are what authenticates users among sites.

Why is SAML used?

There are many ways to achieve single sign-on, and as organizations use an increasing number of cloud applications, support for various methods of single sign-on became too expensive and time consuming.  SAML 2.0, the newest version currently in use, borrows protocols and intellectual property from a number of the most secure frameworks to standardize SSO across all enterprise cloud applications.

What are the Benefits of SAML?

– User passwords never cross the firewall, since user authentication occurs inside of the firewall and multiple Web application passwords are no longer required

– Web applications with no passwords are virtually impossible to hack, as the user must authenticate against an enterprise-class IdM first, which can include strong authentication mechanisms

– “SP-initiated” SAML SSO provides access to Web apps for users outside of the firewall. If an outside user requests access to a Web application, the SP can automatically redirect the user to an authentication portal located at the Identity Provider. After authenticating, the user is granted access to the application, while their login and password remains locked safely inside the firewall

– Centralized federation provides a single point of Web application access, control and auditing, which has security, risk and compliance benefits

– A properly executed identity federation layer that satisfies all of the use cases described above and supports multiple protocols can provide an enterprise-wide, architecturally sound Internet SSO solution

Conclusion:

SAML is the oldest federation protocol, has the widest adoption. It has has proven the viability of organizational federated identity. The Mona Lisa of federated identity, SAML will be appreciated and looked to as a model for a long time. However, newer federation protocols, like OpenID Connect 1.0, which have “bubbled-up” from the consumer space, may replace SAML as the standard for organizations. But before that happens, SAML will continue to be an important tool in the enterprise security stack.

Gluu’s SAML Value Proposition

The primary reason SAML projects fail or experience costly delays is because the implementation can be complex and finding trained resources in SAML is a challenge. When implementing SAML software like Shibboleth, using the Gluu Server, which supports SAML 2.0, can be the difference between a streamlined setup and configuration or a multi-month distributed debugging nightmare.

Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.

Reader Interactions

Comments

  1. I have one question. Lets say i have 3 webapplications with SAML support. Now i open webapplication1 with its url in a browser. If i am not already authenticated by the idp will the login promt appear? If yes and i will then authenticate can i open the other 2 webapplications without any authentication?

    What i need to know is must there be a portal application where i have to authenticate first to open all other applications or can i login to any application and have then access to all the other ones?

    • No portal necessary. A portal can be nice to have..just create a web page with icons and links to the protected landing pages.

      In general, anytime you try to navigate to the protected resource, it will check whether you have a session in the IDP. If you do have a session, you won’t have to sign in again. If you don’t have a session, you will be bounced to the IDP for authentication.

Trackbacks