Just suppose you join a new company and they provide you a username and password (plus, MFA) to access their dashboard. When you enter your login credentials, you are presented with a dashboard. What you see at your dashboard is an assortment of so many applications which you can use, e.g., Salesforce, Gmail, Box, Expensify, Jira, AWS, etc.
You would know by your own experience that each of those applications should require you to enter separate user login credentials. But here in your dashboard, when you click on any application, you access it directly and the corresponding interface opens right in front of your eyes, without asking you to enter any login username or password of sorts of things.
You would be wondering, "What's the hack?"
Nothing. It's SAML in action...
-
What is SAML?
SAML stands for Security Assertion Markup Language. Its primary role in online security is that it enables you to access multiple web applications using one set of login credentials. That is what is called Single Sign On (SSO)...
SAML is an XML-based open-standard for transferring IDENTITY data between two parties: an identity provider (IdP) and a service provider (SP).
This is the best moment in your reading to get hold of these 2-terms, here and now.
Your organization often need to confirm the identity of your users/employees before granting them access. A good analogy is the airline industry. Before you board an aircraft, the airline needs to confirm that whether you are 'who you say you are,' to ensure the security of other passengers. So, what they do? They VERIFY your identity with some form of government-issued 'picture' identification. Once they confirm that your name on your identity matches the name on your airline ticket too, then they allow you to board the aircraft. Doesn't it make perfect sense?
In above situation, the government is playing the role of 'Identity Provider' and airline is 'Service provider'....Your government-issued identification is the SAML Assertion.
When you apply for a government ID, you usually need to complete a form, have your picture taken, and in some circumstances, your fingerprints as well. The government (identity provider) then stores these identifying attributes in their database and issues you with a physical ID associated with your identity.
In the airline example, when you arrive at the gate, the airline (service provider) checks your ID (SAML) assertion. The airline accepts your ID as it contains your details, and the identity card or passport passes scrutiny as a valid document. After successful authentication, the airline then allows you to board the aircraft.
I guess, now you are ready to understand the SAML better.
SAML uses Extensible Markup Language (XML), a set of rules for encoding documents, to standardize communications between various systems. SAML version 2.0 has been in use since March 2005.
In technical terms, SAML is an open federation standard or protocol that allows an identity provider (IdP) to authenticate users and then pass an 'authentication token' to another application known as a service provider (SP).
Identity Provider performs 'authentication' and passes the user's 'identity' and 'authorization level' to the service provider. Since, Service Provider trusts the identity provider fully, it 'authorizes' the given user to access the requested resource.
By now, it must be very obvious to you that there are 2-primary security functions of SAML:
1. Authentication
Determining that users are 'who they claim to be'
2. Authorization
Passing user authorization to apps for access to certain systems or content
Since, both IdP and SP uses the same language, i.e., SAML, your users need to login only once. From the perspective of User Experience (UX), it is a great thing to allow a user to authenticate once and gain access to separately secured systems without resubmitting credentials.
-
What is a SAML assertion?
A SAML Assertion is a XML document that the identity provider sends to the SP which contains the user authorization status.
It is message sent to SP that tells the service provider that a user has signed in. SAML assertions contain all the information necessary for a service provider to confirm user-identity, including the source of the assertion, the time it was issued, and the conditions that make the assertion valid.
You can think of a SAML assertion as being like the contents of a reference-letter given for a job candidate. What does it mean? It means, the person providing the reference says -- when and for how long they worked with the candidate, what their role was, and their opinion on the candidate. Based on this reference, a company can make a decision about hiring the candidate.
Your SAML assertion is just like that, and a SaaS application or cloud-based service can allow or deny user access based on a SAML assertion.
The three distinct types of SAML Assertions are:
-
Authentication assertions help verify the identification of a user and provide the time a user logs in and which method of authentication is used (for example, password, MFA, Kerbeos, etc.)
-
Next is Assigned assertion. It passes the SAML token to the SP. The attribute used by SAML to identify the user is assumed to be the same in both the IdP and SP directory. SAML attributes are specific pieces of data that provide information about the user.
-
Then there is Authorization Decision assertion. It states if a user is authorized to use a service or if the identity provider had denied the request due to a password failure or lack of rights to a service.
-
How is SAML different from OAuth?
We will discuss that. Let's first understand that the modern social media networks all require their users to create an account for the platform. We all have separate account for Facebook, Linkedin, Twitter, Pinterest, etc.
The working of these social media platforms and their requirements of account creation resulted in a need for a lightweight and yet secure way for users to maintain their account credentials. On the top of that, it was felt there is a need for a mechanism to REUSE those account credentials to SIGN IN to additional social media networks.
Thus Google and Twitter collaborated and they developed OAuth, an authorization standard or protocol. OAuth allows people to log-in to different internet websites in a more streamlined manner. By its virtues, OAuth is very much similar to SAML.
However, SAML is still more suited for enterprises because it provides you more control and security for SSO logins than OAuth. OAuth is known for offering BARE MINIMUM access once a user is verified, also known as access scoping.
When you want to create an account with a new SaaS or online service, you might see the ability to "Sign in with Google" or "Sign in with Facebook" rather than create an account with the typical username and password. That SaaS vendor or website is actually relying on OAuth technologies to facilitate account creation and user adoption. You must have seen that thing in operation on many occasions while you have been surfing the internet.
-
SAML and Your IAM
Since your organisation also depends upon Identity and Access Management solutions, to keeps track of employee activity. IAM tracks your employees not only as they enter your network via devices but also as they engage and interact with your applications and systems.
You know that your employees need access to your network, but you want to reduce their access to job-specific applications to ensure productivity and also to reduce the possibility of a security breach. When you limit their access to certain applications and data using role-based protocols, it diminishes the chances of a cyber-attacker using brute force to compromise all employees' credentials. If the attacker knows that not everyone has access, then they might reconsider a large-scale attack...
Much better view is to adopt an IAM solution, that offers SAML capabilities for enterprises. Remember, managing authentication and authorization for all systems, including devices, servers, and cloud applications, is a crucial step in managing user-device connectivity—and ultimately, in mitigating security breaches.
SAML (and OAuth) both, streamlines the Identity tasks. They provides an identity bridge that synchronizes identity entitlements across your on-premises and your cloud services.
Due to its many benefits, SAML is a widely adopted enterprise solution.
Here is the summary.
SAML improves the user experience as you only need to sign in once to access multiple web applications. Not only does this speed up the authentication process, but it also means you only need to remember one set of credentials. SAML also offers you increased security. Since the identity provider stores all login information, the service provider does not need to store any user credentials on their system.
Furthermore, as the identity provider specializes in providing secure SAML authentication, they have the economies of scale to invest time and resources in implementing multiple layers of security.
To combine analogies, if you think of single sign-on (SSO) as “one password to rule them all,” think of SAML as the glue that binds them all together.
-
Kindly write 
your comments on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
__________
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM