How Does SAML Authentication Work?
SAML uses XML-based communication between the IdP and SP, enabling the secure exchange of identity and authentication information. It connects user authentication to service authorization, enabling seamless access to services without requiring users to re-authenticate. When a user logs into the IdP using single sign-on, the IdP generates and passes SAML attributes to the SPs the user accesses. This eliminates the need for multiple logins and password management across different systems. The IdP and SPs must adhere to the same SAML configuration, ensuring compatibility in authentication and authorization processes. Configuring both systems correctly is essential for SAML authentication to function effectively and provide a secure and convenient user experience.
NOTE: SAML 2.0, the current version of the standard approved by the OASIS Consortium in 2005, is incompatible with the previous version 1.1.
What is a SAML Provider?
A SAML provider is an entity that facilitates user access to cloud-based services by mediating the authentication and authorization process. There are two main types of SAML providers: identity providers and service providers. Identity providers are responsible for authenticating users, while service providers require authentication from the identity provider before granting authorization to users. Common identity providers include Microsoft Active Directory and Azure, while common service providers include Salesforce and CRM solutions. SAML providers play a crucial role in improving user convenience and security by allowing single sign-on and multi-factor authentication across different applications and services.
What is a SAML Assertion?
A SAML assertion is an XML document that contains information about a user’s authorization. SAML assertions come in three types: authentication assertions, attribution assertions, and authorization decision assertions. Authentication assertions prove a user’s identity, providing login time and authentication method. Attribution assertions pass SAML attributes to the service provider, with attributes providing specific user information. Finally, authorization decision assertions indicate whether a user is authorized to use a service, potentially denying a request due to password failure or lack of rights.
SAML Example
Let’s say you’re at school and want to use the library computer. The school has SAML set up so that students can log in without a school-specific password. Below is an example of how this works:
Step 1: Identity Provider (IDP)
You start by going to a website that supports SAML, like Google.
You sign in with your Google account (this is the IDP).
Step 2: Service Provider (SP)
Google then sends a message to the school’s website (the SP) saying, “This person is who they say they are.”
The message includes the key required to gain access to the persons details.
Step 3: Login
The school’s website checks the key and confirms that it’s valid.
You are now logged into the library computer without having to enter a separate school password.
SAML vs. OAuth
OAuth and SAML are both authentication protocols that facilitate secure login procedures. While OAuth was jointly developed by Google and Twitter, SAML offers more granular control to enterprises. Both protocols share similar methodologies for transmitting login information. However, OAuth excels in the mobile environment and uses JSON format. In contrast, SAML provides enhanced security for single sign-on (SSO) logins. OAuth is supported by major social media platforms such as Facebook and Google.
