This poses a challenge for developers: how do you provide employees with secure access to internal applications and data stored in the cloud? For many, the answer is SAML authentication!
What is SAML?
Security Assertion Markup Language or SAML is an open standard that simplifies authentication processes. It is based on XML (Extensible Markup Language), which standardizes the communication between the entities to be authenticated and the web service or application. In other words, SAML is what makes it possible to use a single login to sign in to multiple different applications. On the one hand, a service provider needs identity provider (IdP) authentication to grant authorization to the user. For example, Salesforce is a service provider relying on an identity provider for user authentication. On the other hand, an identity provider authenticates that the end user is who they say they are and sends that data to the service provider along with the user’s access rights to the service. One example is AuthO, one of the leaders in providing identity solutions.
What about SAML single sign-on?
One of the main roles of SAML is to enable SSO. Before SAML, SSO was possible but dependent on cookies and viable only on the same domain. SAML enables single sign-on (SSO) by allowing users to access multiple applications with a single login and set of credentials. Although SAML is not new, it has been around since 2002, and many new applications and SaaS companies are using SAML for SSO. Its most recent version, SAML 2.0, enables web-based cross-domain SSO and is the standard for resource authorization.
What are the benefits of SAML authentication?
SAML brings many benefits for security, users, and other service providers (SPs). Simplicity: Users only log in to the IdP once and then enjoy seamless and more secure access to all applications. Increased Security: Many SPs don’t have the time or resources to implement and enforce secure user authentication at login. Generally, IdPs are better equipped to authenticate user identities. By returning authentication to the IdP, SAML enables secure authentication that can apply multiple layers of security, such as MFA. Improved user experience: With SAML, your users can say goodbye to the headaches of trying to remember multiple usernames and passwords Reduced management overhead: Service providers can improve their platform security without storing passwords. There’s no need to deal with forgotten password issues. The help desk reduces costs and frees technical teams to deal with other urgent requests.
What is Auth0, and how is it connected to SAML authentication?
Auth0 is a platform that provides user authentication and authorization service. It can be both as IdP and SP. Auth0 offers a universal login that can be integrated with SAML. Developers often use Auth0 with SAML to diversify the risk by having multiple IdP. Auth0 can be used with almost all major languages and APIs. It can also be integrated with social providers, databases, and LDAP directories.
SAML SSO Flow
One of the main roles of SAML is to enable single sign-on (SSO.) Before SAML, SSO was possible but dependent on cookies and viable only on the same domain. SAML enables SSO by allowing users to access multiple applications with a single login and credentials. SAML is not new, it has been around since 2002, and many new applications and SaaS companies are using SAML for SSO. Its most recent version, SAML 2.0, enables web-based cross-domain SSO and is the standard for resource authorization. In concrete terms, this involves requesting authentication from the user only once when the latter is using different applications. For example, we can think of Google authentication, shared between the different services Gmail, Youtube, Google Apps, etc. In this mode of operation, Google is the identity provider (IdP) for its services. These services are called “service providers” (SP). Authentication When connecting to the external application, it sends the unknown user to the corporate IdP. This IdP is a web service accessible in HTTPS. It can be hosted internally or externally. Internal authentication The user then proves their identity to the IdP. This phase can be done by explicit authentication (login/password) or by the propagation of a pre-existing token. Generation of the assertion The IdP will then generate a “token”, a kind of user identity card, valid only for the requested service and for a given time. In this token, we will find in particular:
The identity of the user: login, email, or other fieldsOptional additional attributes: last name, first name, language, etc.A validity period of the tokenA signature of the token by the IdP
Transmission from IdP to SP In the most practical mode, the assertion is not passed directly from the IdP to the SP but through the user themself. Through an HTTP bounce mechanism, the IdP will provide the client browser with the token to transmit to the service provider. It can be compared to the identity card provided by the prefecture to be presented to any authority. Consumption of the token by the SP The service provider receives the token from the user. The SP has chosen to trust this IdP. It also validates the signature and the integrity of the token, as well as the period of validity. If the tests are conclusive, the SP opens a session to the user.
SAML authentication Vs. User Authorization
Often SAML authentication is confused with authorization. For clarity, it is important to differentiate the concepts of authentication and authorization. Authentication: it is the validation of the user’s identity; basically, it is verified if they are who they say they are. An example is using email and password to access a system – a single session or login for other platforms. Authorization: this is the permissions the user gives to a third-party tool to access resources in their account. With the user’s approval, the authorization protocol exchanges tokens without accessing their credentials. You usually do this when allowing a platform (like Facebook) to access certain information from your Google account.
Must-Know Terminologies of SAML
SAML Assertion
SAML assertions are typically passed by identity providers to service providers. Assertions contain statements that service providers use to make access control decisions. Three types of declarations are provided by SAML:
Authentication statements assert that the service provider was indeed authenticated with the identity provider at a given time with an authentication method.An attribute declaration asserts that a subject is associated with certain attributes. An attribute is simply a name-value pair. Relying parties use the attributes to make access control decisions.An authorized decision statement asserts that a subject is permitted to act on a resource by presenting evidence for it. The expressiveness of authorization decision states in SAML is deliberately limited.
Assertion Consumer Service
The Assertion Consumer Service or ACS is the point where the identity provider redirects after the user authentication response. The point to which the identity provider redirects is an HTTPS endpoint that transfers personal information.
Default Relay State
It is the default URL on which the user will be redirected after the SAML message is authenticated. Default Relay State is used to coordinate messages between IdPs and SPs.
Best Online SAML tools
SAML is a widely used protocol, and often one needs to decode SAML assertions. Following are some of the best SAML tools for encoding, decoding, and formatting SAML messages and assertions:
#1. SAMLtool
SAMltool by OneDesign is a collection of online SAML tools and toolkits. These include various tools for encoding and decoding SAML messages, encrypting and decrypting assertions, and signing and validating SAML messages and assertions. SAMLtool also provides several different plugins to integrate these tools with several CMS.
#2. Samtool.io
Offered by Auth0, samltool.io is an online tool that also you decode, inspect and verify SAML messages and assertions by simpling pasting raw XML or URLs containing requests.
#3. SAM decoder
SAM decoder is a simple online tool for decoding SAML offered by PingIdentity. SAM decoder can be used to decode, inflate, and format SAML messages, assertions, and metadata.
Final Words
The SAML standard is very useful for implementing a central authentication instance based on the markup language. One of its significant advantages is that it offers high efficiency and a high-security standard. In particular, the number of possible security leaks is minimized since individual applications do not have to store or synchronize user data. In this way, one of the primary objectives is achieved, which is to reconcile a high degree of security with the best possible level of ease of use. You may also look at some of the best user authentication platforms.