SAML authentication, or Security Assertion Markup Language authentication, is a method of single sign-on (SSO) used to authenticate and authorize users across different systems. It enables the exchange of user identity information between an identity provider (IdP) and a service provider (SP).
User authentication is a critically important cybersecurity process. Indeed, the ability to verify the identity of a user is a root control in most cybersecurity frameworks—for good reason. If you can’t establish that someone is who he says he is, you’re going to have a lot of trouble protecting your systems and data from malicious actors.
Inside an organization, authentication is relatively simple. If a user logs in with credentials that match those on record, authentication can be assumed, up to a point. Multi-factor authentication (MFA) can provide further proof of identity.
Where things can get complicated, however, is when a user wants to access an external application, or an external user wants to access your systems. If the user is actually a machine, an app-to-app interoperability use case, authentication gets all the harder to address. You might want to enable users to authenticate themselves once, and then use multiple applications in a Single Sign-on (SSO) scenario.
This is where Security Assertion Markup Language (SAML) has a role to play. The key word in SAML is “assertion.” SAML offers a standardized way for a user (human or machine) to assert a verifiable identity. It’s like a digital driver’s license.
SAML is an open standard based on extensible markup language (XML). A SAML assertion transfers the user’s identity data between two entities: The identity provider (IdP) and the service provider (SP). The IdP authenticates the user and passes his or her identity information to the SP. The SP, in turn, trusts the IdP and grants the user the level of access he or she has requested. This process is typically transparent to the user. For example, once you have logged into your corporate network, you might log into a SaaS application. However, you’re allowed right in without entering your credentials. That’s SAML at work.
SAML assertions are messages that contain the information an SP needs to confirm the identity of the user. It tells the provider that the user has signed in, sharing the assertion’s source, its time of issuance and other data points that confirm the user’s identity. The service provider can accept or reject the user’s access request based on the contents of the SAML assertion.
The interactions between the user, the IdP, and the SP follow this general flow:
SAML offers a number of benefits to system owners, security managers, and end users. User experience tends to improve, for one thing. With SAML, users only have to sign in once in order to access multiple service providers. The whole authentication process speeds up, and users no longer have to remember different sets of login credentials.
Security also gets better, in general, with SAML. This is due to SAML’s ability to provide authentication from a single spot, the IdP. This concentrated architecture has the effect of reducing the attack surface.
With SAML, it is also possible to work with loosely coupled directories. There is no need to synchronize user information between identity directories. This eliminates a time-consuming chore that not only creates complexity, but also increases risk exposure. Any time identity data is being moved around, it is vulnerable to breach.
Service providers can also cut costs with SAML. They no longer have to maintain user account data across services. Instead, the IDP handles this process for them.
Some people get confused about whether SAML authentication is the same as user authorization. It’s easy to see why. A SAML assertion’s SSO functionality can be viewed as authorizing the user to access multiple service providers. However, SAML authentication and user authorization are not the same thing.
SAML is for authentication, meaning it establishes the identity of the user. SAML does not communicate the user’s privileges to do, or not do, certain things. Despite its SSO capabilities, it does not perform an authorization function.
Is SAML comparable to OAuth? This is a common question. The answer is that the two serve different purposes. While both protocols are used to manage access, SAML deals with user authentication and OAuth is for authorization. A SAML assertion authenticates the user to the SP. An OAuth token declares what the user is authorized to do with the SP.
SAML is an essential user authentication standard for an entity that wants to allow access to users outside of its organization. SAML assertions enable simple, efficient authentication, as well as SSO for multiple service providers. The technology also helps improve security and cut costs, while also delivering the architectural benefits of more loosely coupled directories.
Experience the speed, scale, and security that only Noname can provide. You’ll never look at APIs the same way again.