How does SAML work? IDPs & SPs
SAML, or Security Assertion Markup Language, is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject (most often a human user) to other entities, such as a partner company or another enterprise application. By defining standardized mechanisms for the communication of security and identity information between business partners, SAML makes federated identity, and the crossdomain transactions that it enables, a reality.
SAML defines three roles: the principal (typically a user), the identity provider (IDP), and the service provider (SP). In the use case addressed by SAML, the principal requests a service from the service provider. The service provider requests and obtains an authentication assertion from the identity provider. On the basis of this assertion, the service provider can make an access control decision — in other words it can decide whether to perform some service for the connected principal. SAML does not specify the method of authentication at the IDP; it may require username and password, or another form of authentication, including multi-factor authentication (MFA).
SAML requests and responses are made up of the following components:
- Assertions – An assertion is a package of information that supplies one or more statements made by a SAML authority. SAML defines three kinds of assertion statements that can be created by a SAML authority:
- Authentication assertions are used to make people prove their identities. This kind of statement is typically generated by the SAML identity provider (IDP).
- Attribute assertions are used to supply specific information about the person, for example their phone number or email address.
- Authorization decisions determine whether the specified subject has been granted or denied permission to access the specified resource.
For single sign-on (SSO), a typical SAML assertion will contain a single authentication statement and possibly a single attribute statement. A SAML response could contain multiple assertions, although its more typical to have a single assertion within a response.
- Protocol – This defines the way that SAML asks for and gets assertions, for example, using SOAP over HTTP.
- Binding – This details exactly how SAML message exchanges are mapped into SOAP exchanges.
- Profile – A SAML profile describes in detail how SAML assertions, protocols, and bindings combine to support a defined use case. The most important SAML profile is the Web Browser SSO Profile.
5 benefits of using SAML:
There are many reasons to use a SAML IDP like the Gluu Server, including:
- User passwords never cross the ﬁrewall, since user authentication occurs inside of the ﬁrewall and multiple Web application passwords are no longer required.
- Web applications with no passwords are virtually impossible to hack, as the user must authenticate against an enterprise-class IdM ﬁrst, which can include strong authentication mechanisms.
- “SP-initiated” SAML SSO provides access to Web apps for users outside of the ﬁrewall. If an outside user requests access to a Web application, the SP can automatically redirect the user to an authentication portal located at the Identity Provider. After authenticating, the user is granted access to the application, while their login and password remains locked safely inside the ﬁrewall.
- Centralized federation provides a single point of Web application access, control and auditing, which has security, risk and compliance beneﬁts.
- A properly executed identity federation layer that satisﬁes all of the use cases described above and supports multiple protocols can provide an enterprise-wide, architecturally sound Internet SSO solution.
If you need a free open source SAML IDP, take a look at the Gluu Server.