What does SAML mean?
SAML is acronyms for ‘Security Assertion Markup Language’, and it is an open standard and often used for Single Sign-On for web-based applications.
History of SAML
SAML was developed by the Security Services Technical Committee of OASIS (Organization for the Advancement of Structured Information Standards), SAML is an XML-based framework. SAML enables different organizations (with different security domains) to securely exchange authentication and authorization information.
Example Usage of SAML
Federation, identity management, and single sign-on (SSO), its most common use in modern practice is SSO
SAML and SSO
SAML is not the same as SSO. SAML is an XML-based computer language that facilitates single sign-on. SSO is an umbrella term for any of several methods, including SAML, OpenID Connect, and OAuth, that lets you use one set of login credentials, such as a username and password, to log into multiple applications.
SAML Provider
SAML single sign-on authentication works by facilitating the exchange of user identity data between three parties.
Identity Provider (IdP)
An internal directory or third-party cloud platform that has information of users for authentication.
Service Provider (SP)
Usually an web application that the user wants to use its service.
SAML Assertion
Identity provider sends a SAML assertion after they authenticates the user and send the assertion to Service Provider to inform that the user is a valid user.
SAML assertion can contain:
- Name ID
- Method of Authn
- Attributes
- Conditions
- Issuer ID
- Signature
SAML 2.0
Widely adopted since its introduction in 2005, SAML 2.0 is a mature standard used primarily for enterprise and government applications.
How does SAML work?
When a user enters their login credentials, the service provider sends a SAML request to the identity provider. The identity provider performs SAML-based authentication to verify the user and generates a digitally signed and encrypted SAML assertion that represents the user’s identity and permissions. The identity provider then sends the SAML assertion to the service provider.
Because a trust relationship between the service provider and the identity provider already exists, the service provider allows the user to access the requested resource or service. To grant access to resources, the service provider uses the identity provider’s response to create and configure a session for the user.
Certificates (public/private keys, x509 certificates)
Using certificates, Identity Provider can sign their SAML assertion for security and Service Provider can ensure the SAML assertion is safe by checking with the key that matches the one signed on the assertion.
Metadata
SAML Metadata files can be used to configure trust relationship between Identity Provider and Service Provider.
SAML Metadata files include public key (X509Certificate) and this can be used to validate incoming SAML request or response.
SAML Tracer
SAML Tracer is a debugger tool that captures SAML messages on browser.