Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. It is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions). <\/p>\n\n\n\n
It is also:<\/p>\n\n\n\n
An important use case that SAML addresses is web-browser single sign-on (SSO). Single sign-on is relatively easy to accomplish within a security domain (using cookies, for example) but extending SSO across security domains is more difficult and resulted in the proliferation of non-interoperable proprietary technologies. <\/p>\n\n\n\n
The SAML Web Browser SSO profile was specified and standardized to promote interoperability.<\/p>\n\n\n\n
The Organization for the Advancement of Structured Information Standards (OASIS) manages the SAML protocol. SAML 2.0, the current version, was published as an OASIS standard in 2005.<\/p>\n\n\n\n
In computing and networking, one of the major challenges is getting systems and devices built by different vendors for different purposes to work together. This is called “interoperability”: the ability for different machines to interact with each other, despite their differing technical specifications. SAML is an interoperable standard \u2014 it is a widely accepted way to communicate a user’s identity to cloud service providers.<\/p>\n\n\n\n
Security Assertion Markup Language (SAML) is an open standard for sharing security information about identity, authentication and authorization across different systems. SAML is implemented with the Extensible Markup Language (XML) standard for sharing data. It provides a framework for implementing single sign-on (SSO) and other federated identity systems. <\/p>\n\n\n\n
A federated identity system links an individual identity to multiple identity domains. <\/p>\n\n\n\n
This approach enables SSO that encompasses resources on an enterprise network, trusted third-party vendors, and customer networks.<\/p>\n\n\n\n
SAML is an important component of SSO systems that enable users to access multiple applications, services or websites from a single login process. Identity and authentication levels are shared across different systems and services using the SAML protocol to request, receive and format that data.<\/p>\n\n\n\n
Single sign-on (SSO) is a way for users to be authenticated for multiple applications and services at once. With SSO, a user signs in at a single login screen and can then use some apps. Users do not need to confirm their identity with every single service they use.<\/p>\n\n\n\n
For this to take place, the SSO system must communicate with every external app to tell them that the user is signed in. This is where SAML comes into play.<\/p>\n\n\n\n
SAML is a platform for requesting authentication. Its most common use is to enable SSO. Some products that implement SSO services using SAML include the following:<\/p>\n\n\n\n
SSOs implement federated identity management to enable multiple domains to authenticate users using one set of credentials. SSO can use SAML protocols to exchange authentication information, or it can use some other protocol, like\u00a0OpenID, to manage cross-domain authentication.<\/p>\n\n\n\n
A typical SSO authentication process involves these three parties:<\/p>\n\n\n\n
This is what a typical flow might look like:<\/p>\n\n\n\n
The principal sends a request to the service provider, who then requests authentication from the identity provider. The identity provider sends a SAML assertion to the service provider, and the service provider can then send a response to the principal.<\/p>\n\n\n\n
If the principal (the user) was not already logged in, the identity provider may prompt them to log in before sending an assertion.<\/p>\n\n\n\n
It incorporates four different types of components:<\/p>\n\n\n\n
These are statements of identity, authentication and authorization information. They are formatted using XML tags specified in SAML.<\/p>\n\n\n\n
According to the core\u00a0protocol specification, an assertion is a unit of information that supplies zero or more statements made by a SAML authority. Authorities are any system that generates SAML authentication assertions. The identity providers are examples of these authorities.<\/p>\n\n\n\n
SAML specifies three types of assertions:<\/p>\n\n\n\n
These define how different entities request and respond to requests for security information. Like assertions, these protocols are encoded with XML tags specified in SAML.<\/p>\n\n\n\n
SAML defines its own generalized protocols for request\/response interactions between systems and the entities that can be authenticated — either principals or subjects. SAML 2.0 protocols include the following:<\/p>\n\n\n\n
These request\/response protocols are defined as part of SAML to enable systems to request authentication, respond to authentication requests and exchange assertions. These protocols are independent of the networking protocols that SAML messages are bound to for network transport.<\/p>\n\n\n\n
These are the formats specified for protocol messages to be embedded and transported over different transmission mechanisms. SAML depends on several other protocols that are used to format and exchange requests and responses. These include the following:<\/p>\n\n\n\n
SAML bindings define how protocol messages are transmitted. They use the transport protocols that enable communication between entities. SAML 2.0 defines the following bindings:<\/p>\n\n\n\n
The bindings enable authenticating systems to exchange assertions and requests using widely supported protocols.<\/p>\n\n\n\n
These determine how assertions, protocols and bindings are used together for interoperability in certain applications. A SAML profile consists of assertions, protocols and bindings. The profiles are used to define specific applications.<\/p>\n\n\n\n
Profiles defined for SAML 2.0 include the following:<\/p>\n\n\n\n
These profiles can be configured to enable an SSO deployment.<\/p>\n\n\n\n
Organizations use SAML both for business-to-business and business-to-consumer applications. It is used to share user credentials across one or more networked systems. The SAML\u00a0framework\u00a0is designed to accomplish two things:<\/p>\n\n\n\n
SAML is most often used to implement SSO authentication systems that enable end users to log in to their networks once and be authorized to access multiple resources on that network. For example, SSO implemented with Microsoft Active Directory (AD<\/a>) can be integrated with SAML 2.0 authentication requests.<\/p>\n\n\n\n Authentication is the process of determining whether an entity is what it claims to be. It is required before authorization, which is the process of determining whether the authenticated identity has permission to use a resource.<\/p>\n\n\n\n SAML authentication depends on verifying user credentials, which, at a minimum, include user identity and password. SAML can also enable support for\u00a0multifactor authentication.<\/p>\n\n\n\n SAML is a technology for user authentication, not user authorization, and this is a key distinction. User authorization is a separate area of\u00a0identity and access management.<\/p>\n\n\n\n Access management technologies handle user authorization. Access management platforms use several different authorization standards (one of which is OAuth), but not SAML.<\/p>\n\n\n\nIs SAML authentication the same thing as user authorization?<\/strong><\/h2>\n\n\n\n
\n
Recommended Articles <\/strong><\/span><\/h2>\n\n\n\n
\n
References<\/strong><\/span><\/h2>\n\n\n\n
\n