SAML 2.0 Web SSO: Fundamentals
I am going to write a blog series on SAML 2.0 Web SSO and welcome you to the very first post. You will be able to gain a broad knowledge about SAML and SSO, specially related to the topic after reading up to the end.
Let’s give it a start!
What is SAML?
In simple terms, SAML stands for Security Assertion Markup Language which was created by an organization called OASIS. SAML 2.0 is the version that is used widely at present and it was released in March, 2005. As well, it is an XML based data format/protocol for exchanging authentication and authorization data between security domains. When it comes to our topic, these data are exchanging between a service provider and an identity provider. You can find more details about them from here.
OASIS provides five main specifications about SAML named as follows. You may refer them for a complete understanding on SAML.
Why may we use SAML?
The obvious answer is that it provides security enable authentication for users. However, I can provide you three key benefits of SAML. Let’s go through them in brief.
(In case, you do not have a clear idea about an Identity Provider and a Service Provider, let’s clarify them in brief.
Identity Provider (IdP) — In simple terms, IdP is also a service that is responsible for managing user credentials (usernames and passwords) and validate users with corresponding credentials.
Service Provider (SP) — This can be thought as an application from which authenticated users can get certain services/resources based on their requirements. For an example, Google can be thought a service provider and authenticated users can use Google services such as gmail, google docs, google calender, google drive, etc…)
Continuing benefits…
- Security
As mentioned above, SAML provides security enable user authentication. Security is the most important factor specially in enterprise applications mostly in the future as well as at the present. Basically, SAML can be used to provide a single point of authentication at a secure Identity Provider. Because of that user credentials are more secure and never leave the firewall boundary. As well, places for leaking the user credentials are very less. As authentication happens at a single point and the user credentials do not go out, how the Service Provider can identify whether the requesting user is valid or not?
That part is carried out by SAML assertions. Assertions can be exchanged between an IdP and an SP using SAML. Those assertions contain the response/result from the IdP and SP will give the access based on that (we’ll talk about assertions in the latter part). Further, these assertion can be signed by a trusted party and also can be encrypted if needed. Let’s keep them for future readings!
- Standardization
This is also a very important fact as the security in SAML. Since SAML is standardized, we can use it with any system independent of its implementation. Standardization helps to extend the usage of SAML in different different applications.
- User experience
Another greatest benefit in SAML is the user experience. SAML allows users to access multiple applications securely just using a single set of credentials at once. Users have to login only at a single point and all other application can be accessed without re-login again and again. Since users need a single set of credentials, they are free of keeping multiple usernames and passwords for each application separately. That is a massive support for users in advanced.
As described above, SAML has some better (specific) qualities than other protocols. Among many, the single most important requirement that SAML addresses is the Web browser Single Sign-On (SSO). That is what I have used to describe the 3rd fact in above (User Experience). You will be able to understand how SAML enables SSO and flow of authentication using this blog series as mentioned in the beginning.
When it comes to SSO, SAML defines three parties which are directly involving in the communication flow. They are,
- The Principal — In simple terms, this is typically the user who is looking for a resource or a service from a service provider.
- The Identity Provider — This has the same meaning as I mentioned in a above section. But when it comes to play with SAML, there are two main duties for the IdP. First one is the obvious case that it is responsible for authenticating users based on the credentials they are providing. The second most important task is that the IdP should issue assertions for the SP which are relevant to the user authentication result. Hence the IdP is also called as the ‘Asserting Party’ (or ‘SAML authority’ in some cases).
- The Service Provider — This also has the basic functionality as mentioned in a above section. Other than that, it should consume assertions issued by the IdP to provide services or resources to the principal. The SP totally relies on those assertions. Hence it is also called as the ‘Relaying Party’ (or ‘SAML/Assertion consumer’ in some cases).
The word “Assertion” has been used several times within this post. Are you familiar with this word, what does it mean by or actually what is an assertion?
What is an Assertion?
An assertion is kind of a package of information. More generally, a SAML assertion is a package of security information that contains zero or more statements. SAML assertions usually made about a subject and each assertion is associated with it. In most of the times this subject is same as the principal. Then, that is the main reference for the assertion between IdP and SP. There are three kind of assertion statements defined in the SAML 2.0 specification. All of them are created by SAML authority to be used in SAML consumer. Three statements are as follows,
- Authentication Statement — This statement provides information about that a subject/principal has authenticated with the identity provider at a particular time using a particular method. Also, this is the most important statement in assertion under SSO. This mainly targets about the subject.
- Attribute Statement — This statement is to provide associated attributes with the subject for the use of relaying party. An attribute is simply a name-value pair and also there can be more supporting facts that describes the subject. These attributes let the relaying party to make access control decisions.
- Authorization Decision Statement — This statement specifies authorized actions to be made by the subject on particular resources. It can be simply thought as granting or denying access to certain services or resources. However, this statement in SAML is intentionally limited.
The basics of SAML that are related to the topic is covered up to here. But there are lot more about SAML and you should refer the documents I have provided above to learn deeply. Let’s wrap-up this by touching a bit about SSO.
What is SSO?
As we already know SSO stands for Single Sign-On. It is about login into one application using a single set of credentials at once and use multiple applications without re-login again and again. That gives a better experience for the user to just have a single set of credentials for multiple applications. The most familiar example for this scenario is that login into Google account and then we can use all the service/resources of it without re-login such as gmail, google docs, google calender, google drive, youtube, etc… In SAML Web SSO, the web browser cookies and session management do the major roles. Let’ s keep them too for the future readings!
I will write on how the authentication process happens in SAML SSO with the communication flow in the next post. Also details on how cookies and Session management happen will be covered.
Hope I could help you in letting know about something new or need for you. Don’t forget to hit on the applause!
