One of the major works I have at work this time around is about SAML and I’m learning about it and finding it interesting and fun to play with.
What is SAML?
SAML is an acronym for Security Assertion Markup Language. It’s often used in Single Sign On services and it lets us “access multiple web applications using one set of login credentials”. For instance, if you’re logged onto Google, then it allows you to log into YouTube automatically.
With SAML, two different parties can exchange authentication data of users. It uses a centralized identity provider (IdP) and uses the authentication from the IdP to access multiple, independent web applications.
Benefits of using SAML
First, SAML improves users’ experience on using multiple web applications as they don’t need to enter login information each time. Also, with SAML, users don’t need to remember multiple set of passwords for multiple web applications they’re using.
SAML also enhances security. Since authentication information is stored in one Identity Provider (IdP), web applications aka Service Provider (SP) do not need to store credentials on their system.
How does SAML work?
Let us imagine Charlie who is an employee at Company A. Charlie’s company uses an Identity Provider (such as OneLogin, Okta, etc) to authenticate and manage their employees’ user accounts. One of the web applications that Company A uses is Zoom. When Charlie clicks on Zoom to log in, Charlie does not need to type in passwords, and he’s automatically authenticated to Zoom through Single Sign On service via their IdP. In this case, when Charlie access Zoom, Zoom (Service Provider) redirected to the IdP (OneLogin, Okta, etc) and IdP recognizes Charlie’s account so that it responses back to Zoom that Charlie is an authenticated, trustful user, and Zoom lets Charlie’s account log in.
The above is a brief example of use case. References below have good examples of how SAML works.