What is SAML? With the general shift of IT towards the cloud and SaaS-delivered applications, SAML is becoming a hot topic. Let’s explore SAML, how it works, its history and benefits, and how you can use it.
What is SAML?
The Security Assertion Markup Language (SAML) protocol is the go to for many web application single sign-on (SSO) providers. SAML utilizes Extensible Markup Language (XML) certificates to assert user authentications from an identity provider (IdP) to a service provider (SP) or application. There’s certainly a lot of acronyms, but they will make more sense as we dive into how SAML works.
How SAML Works
The process goes something like this. When a user wants to access a web application, they first visit the service via an ‘agent’, which nearly always is a standard web browser like Chrome, Firefox, Safari, or Internet Explorer/Edge. The agent then attempts to request access from the SP, i.e., log in to the app.
The SP has been administratively set to defer its authentication to a specific source of authentication—the IdP. Login is then effectively re-directed via the internet (and through the browser) to request an authentication to verify the user’s identity. This can actually behave for the user as a redirection to another website that contains a simple user interface containing a username/email and password field.
The user will enter their credentials, and the IdP will verify them. Upon successful verification, the IdP will generate an XML-based certificate, referred to as an assertion. This means the IdP is generating a figurative “hall pass”, claiming it knows the user and they may gain entrance to the app. This certificate is relayed back to the user’s browser and then on to the service provider, redirecting the page back to the service so it can ingest the “hall pass” and then allow the user entrance. When broken down visually, the following diagram demonstrates the basic steps of this transaction:
The History of SAML
SAML was created by the Organization for the Advancement of Structured Information Standards (OASIS) in late 2002. By that time, the (Read more...)