Saturday, 8 August 2015

SAML

SAML stands for Security Assertion Markup Language, developed by OASIS (Organization for the Advancement of Structured Information Standards).  The OASIS Security Services Technical Committee (SSTC) develops and maintains the SAML standard. It is an XML-based, open-standard data format for exchanging authentication and authorization data between parties.

It is primarily used in communication between an Identity provider and service provider.

Service Provider (SP): Service provider is the one, which hosts applications.

Identity Provider (IDP): An identity provider is a trusted provider that enables you to use single sign-on to access other websites.

The security information exchanged between parties is expressed in the form of SAML assertions.

How SAML Authentication works?
SAML specification defines three roles.
         1. User
         2. Identity Provider
         3. Service Provider

In simple scenario,
1.   User requests a service from service provider
2.   Service provider starts the authentication process and redirects the request to the registered Identity provider
3.   Identity Provider requests user credentials.
4.   Identity provider checks user credentials against company database.
5.   Identity provider returns SAML response to user.
6.   Service provider provides access to the user.

SAML V2.0 supports both IDP initiated and SP initiated flows. Above scenario describes about SP initiated flow.

Why SAML is needed?
a.   Single Sign-on
Single sign on allows users to access multiple services with single login. By using Single sign-on, user no need to remember number of usernames and passwords. Prior to SAML, products support single sign on by using browser cookies. User authentication state information is maintained in browser cookies, so that re-authentication is not required each time the web user accesses the system. One problem with cookies is, cookies are not transmitted between different domains.

To support multi domain single sign on, some companies come up with their own proprietary protocols. Since every product has their own protocol, there is a complexity in working with all the products.


SAML solves the multi domain single sign on problem by providing a standard vendor-independent grammar and protocol for transferring information about a user from one web server to another independent of the server DNS domains.



Prevoius                                                 Next                                                 Home

1 comment:

  1. Nice Article which clearly explains SAML for beginners.

    ReplyDelete