How does SAML work? IDP’s & SP’s
If you’re doing research on protocols that enable single sign-on, a typical question is, “how does SAML work?”
SAML, or the Security Assertion Markup Language, is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider (IDP), like the Gluu Server, and a service provider. SAML is a comprehensive and mature standard and well supported at many of the Internet’s largest domains, like Google and Microsoft.
Check out our slides to learn more about how single sign-on works.
SAML allows an organization to securely exchange attributes about people with applications so that people can access protected content without creating new accounts at each application. This reduces the number of credentials people need to store and remember, and increases the security of logins at applications.
Three main components of the SAML protocol
- Assertions – Most common are the following 2 SAML assertions:
- Authentication assertions are used to make people prove their identities.
- Attribute assertions are used to generate specific information about the person, for example their phone number or email address.
- Protocol – This defines the way that SAML asks for and gets assertions, for example, using SOAP over HTTP.
- Binding – This details exactly how SAML message exchanges are mapped into SOAP exchanges.
5 Benefits of using a SAML IDP:
There are many reasons to use a SAML IDP. Here are the top 5 reasons:
1. User passwords never cross the ﬁrewall, since user authentication occurs inside of the ﬁrewall and multiple Web application passwords are no longer required.
2. Web applications with no passwords are virtually impossible to hack, as the user must authenticate against an enterprise-class identity and access management platform ﬁrst, which can include strong authentication mechanisms.
3. “SP-initiated” SAML SSO provides access to Web apps for users outside of the ﬁrewall. If an outside user requests access to a Web application, the SP can automatically redirect the user to an authentication portal located at the Identity Provider. After authenticating, the user is granted access to the application, while their login and password remains locked safely inside the ﬁrewall.
4. Centralized federation provides a single point of Web application access, control and auditing, which has security, risk and compliance beneﬁts.
5. A properly executed identity federation layer that satisﬁes all of the use cases described above and supports multiple protocols can provide an enterprise-wide, architecturally sound Internet SSO solution.
SAML support in the Gluu Server
The Gluu Server bundles the Shibboleth IDP to support SAML. Learn more about Shibboleth and the advantages of using the Gluu Server’s implementation of Shibboleth in our next article.
For more information on the SAML protocol, visit the blog, SAML Protocol Overview.
Or if you’re ready to launch your own SAML and OpenID Connect identity service, deploy the Gluu server today for free.