What is SAML and How Does SAML Authentication Work?

Single sign-on and secure identity federation between applications is critical in modern IT environments. SAML (Security Assertion Markup Language) has emerged as the standard for enabling seamless SSO and exchanging user authentication details between identity providers and service providers.

This XML-based open standard streamlines authentication and provides benefits like enhanced security, simplified identity management and better user experience.

This article explores how SAML-based authentication works in IT ecosystems.

What is SAML Authentication?

SAML stands for Security Assertion Markup Language. It is an open XML-based standard specification for exchanging authentication and authorisation credentials between parties, specifically between identity providers and service providers.

The SAML standard describes exactly how identity and security information should be formatted, exchanged, and interpreted via XML documents known as SAML assertions.

SAML at a High Level

At a high level, SAML enables single sign-on (SSO). This essentially means it allows users to authenticate themselves once with an identity provider and gain access to multiple applications and systems without needing to log in repeatedly.

SAML transfers the user's authentication status and access permissions from the identity provider to connected systems that serve as service providers.

The two main parties in SAML transactions are:

• Identity Provider (IdP) - The identity provider authenticates users. It validates a user's identity and issues SAML assertions containing their authentication status, attributes, and authorisation permissions to access services. Some examples of identity providers include Active Directory Federation Services, Okta, Ping Identity, and more.
• Service Provider (SP) - The service provider consumes and relies on the SAML assertions provided by the identity provider for authentication and authorisation. Popular service provider applications include Office 365, Salesforce, Workday, AWS, and more.

When a user attempts to access a service provider application, if they have not already been authenticated, the service provider redirects them to the identity provider to log in. The identity provider authenticates the user via credentials like username/password.

SAML Assertions

Once authenticated, the identity provider generates a SAML assertion, an XML document asserting the user's authenticated identity and containing attributes about the user. Some attributes that may be included in SAML assertions are username, email, first/last name, job title, group membership info, and more.

The SAML assertion is then transmitted securely back to the service provider application, which allows the user access based on the confirmed identity and attributes in the SAML assertion, enabling single sign-on across multiple applications.

SAML Components

SAML Authority

• The SAML authority manages the SAML certificate issue and acts as the ecosystem's gatekeeper.
• SAML certificates provide genuine authorised identities and build confidence between identity providers and service providers in a SAML federation.
• The SAML authority verifies SAML providers' identities before granting certificates. This vital verification procedure keeps fraudulent or renegade parties out of the ecosystem.
• According to policy frameworks, the SAML authority administers SAML certificate renewal, revocation, expiry timeframes, and issuance.
• SAML authority features are built into most major identity providers like Microsoft Active Directory Federation Services and Okta to handle certificates.

SAML Service Provider

• SAML service providers are the consumers of SAML identities in a SAML transaction flow. Popular software-as-a-service apps that function as service providers include Office 365, Salesforce, Workday, Slack, Box, and more.
• Infrastructure-as-a-service platforms like AWS that offer SAML integration to manage resource access also serve as SAML service providers.
• When no user session exists, the service provider begins SAML authentication by creating and submitting an authentication request to the identity provider using XML-based SAML protocol communications.
• The service provider processes the SAML assertion response from the identity provider to make access decisions for the user based on the confirmed identity claims and attribute information contained in the assertion.

SAML Identity Provider

• SAML identity providers authenticate users and verify trustworthy digital identities.
• Microsoft Active Directory Federation Services, Okta, Ping Identity, Shibboleth, Salesforce Identity, Oracle Identity Cloud Service and others are popular identity suppliers.
• User authentication is commonly done via an interactive login procedure requiring a username/password. Measures like Multi-Factor Authentication may also boost security.
• After authenticating a user, the identity provider creates and cryptographically signs SAML assertions containing trusted digital identity information, including service provider access authorisation characteristics.

How Does SAML Authentication Work?

SAML (Security Assertion Markup Language) is an open standard for sharing authentication and authorisation data between parties, particularly an identity provider and a service provider. The SAML standard defines an XML-based framework for creating and managing identity federation, single sign-on and the secure exchange of user identity information.

When a user attempts to access a protected resource or application that uses SAML-based single sign-on, the following process occurs:

1. User Access Request - The process begins when the user tries to access a resource hosted by the service provider that requires authentication. This could be a web application, API or other protected endpoint.
2. Redirect to Identity Provider - Since there is no active user session, the service provider constructs an SAML-based authentication request and redirects the browser to the configured identity provider through the user's browser.
3. Identity Provider Login - At the identity provider, the user will be requested to log in using their credentials through a login form. This could require a username/password, social login or other authentication factors.
4. Identity Verification - The identity provider verifies the user's identity and credentials are valid. This is done by checking against the user store or directory.
5. SAML Assertion Issued - After successful authentication, the identity provider generates a SAML assertion, which is an XML document asserting the user's identity, attributes and authorisation details.
6. Assertion Signed and Encrypted - The assertion is digitally signed to ensure integrity and prevent tampering. It is also encrypted to provide confidentiality.
7. Assertion Sent to the Service Provider - The identity provider posts the signed/encrypted assertion back to the service provider's endpoint via the user's browser through an automatic redirection.
8. Assertion Processed - The service provider receives the SAML response, decrypts it, and validates the signature to ensure the assertion is authentic and comes from the trusted identity provider.

SAML Protocol Bindings

SAML protocol bindings define how SAML messages are transported between entities like identity providers (IdPs) and service providers (SPs). The main bindings are SOAP, HTTP Redirect, and HTTP POST.

1. SOAP - Simple Object Access Protocol

SOAP binding encapsulates SAML messages within SOAP envelopes and transmits them via SOAP over HTTP. SOAP provides built-in security, supports additional WS-* standards, and enables complex multi-step web service interactions. However, SOAP messages have significant overheads that impact performance. SOAP binding is rarely used today.

2. HTTP Redirect

HTTP Redirect binding transmits SAML messages by redirecting the user's browser to the target URL via an HTTP 302 response. The SAML message is encoded into the redirect URL. This is simple and works well for SSO, but it has size limitations and exposes the message in URLs.

3. HTTP POST

HTTP POST binding sends SAML messages within the HTTP POST body. This avoids size limits and visibility of Redirect binding. However, it relies on browsers supporting cross-origin POSTs. POST binding is the most common and preferred choice today as it balances security, performance, and compatibility.

SAML Security

SAML employs several important mechanisms to provide secure communication between identity providers and service providers. This prevents security threats and attacks that could compromise user identities and information.

Digital Signatures Prevent Tampering

Digital signatures using public-key cryptography prevent tampering and modification of SAML messages. The sender signs the message using their key, and the receiver verifies it with the sender's public key. This ensures integrity, as any changes made to the message after signing would invalidate the digital signature. Digital signatures confirm the message came from the expected sender.

Encryption Protects Sensitive User Information

Encryption helps protect sensitive user information contained within SAML assertions, like usernames, attributes, and authorisation decisions. The intended recipient's public key can be used to encrypt SAML communications so that only they can decode them using their private key. Encryption provides confidentiality against eavesdropping or interception of SAML communications.

Keys and Certificates Help Establish Trust Between Parties

Public key infrastructure (PKI) establishes trust between parties by using key pairs and certificates from certificate authorities. Verifying identity and service providers' certificates before exchanging SAML information helps prevent man-in-the-middle attacks through spoofed identities.

HTTPS transport between providers is also essential to secure SAML exchanges. HTTPS prevents active attacks like tampering or spoofing of messages in transit.

Benefits of SAML

• Enables single sign-on (SSO) for a simplified and improved end-user experience across multiple applications and services. Users can access everything they need with one set of credentials.
• Reduces the number of passwords and credentials users must remember by federating identities across apps. This prevents password fatigue and forgetfulness.
• Centralised authentication at the identity provider enhances security by minimising the potential attack surface. Service providers trust the identity provider to handle authentication.
• Decouples authentication from authorisation, streamlining identity management. User credentials stay with the identity provider while each application handles access decisions.
• Provides significant cost savings regarding reduced password reset requests and help desk tickets. SAML eliminates much of the duplicate identity management efforts.
• Minimises the custom integration work required to connect disparate cloud and on-premises applications, reducing IT expenses.
• Increases customer retention, satisfaction, and trust by providing seamless SSO access to services. Reduces friction for users.
• Allows integration between legacy on-premises applications and new cloud-based services and infrastructure.
• Standardised and secured the authentication process between identity providers and service providers across domains.
• Leverages portable encrypted XML-based SAML assertions to handle federated identity transactions.

Conclusion

SAML enables secure single sign-on and identity federation through standardised XML-based communication between identity providers and service providers. Its ability to solve authentication and authorisation issues provides significant benefits for security, IT efficiency, user experience, and customer satisfaction.

Businesses can also further enhance security by adopting additional security measures like MFA through reputed providers. For example, we at InstaSafe offer Multi-Factor Authentication and other Zero Trust Security solutions.

Frequently Asked Questions (FAQs)

• What are the roles in SAML authentication?

SAML authentication has three major roles: user, identity provider and service provider. The identity provider authenticates the user and forwards authentication assertions to the service provider.

• What is SAML, an authentication protocol based on?

SAML authentication is based on the exchange of XML documents containing assertions that one party makes about the authentication status of a user to other parties.

• What are the two models for users to authenticate using SAML?

Users can authenticate using SAML in two ways: service provider-initiated authentication, which sends the user to the identity provider, and identity provider-initiated authentication, which asks the user to log in.