What is SAML?

“The Security Assertion Markup Language (SAML) is an XML-based open security standard framework for authentication and authorization across two different systems (Service Provider and an Identity Provider)”

Why do we need SAML?

Let's look at a use-case.

A user who needs to access multiple, internal web applications while working for LavelyIO. Each web app has it's own secure authentication process and own identity providers for the authentication (not always true; more on that later). The user is working with multiple URLs, across internal and external company boundaries as well as "maintaining" credentials to each application, or worse yet, uses Chrome's autofill. Phishing just got a little bit easier...

.

Back to the point; each web application needs to maintain user information on their own server(s) for some reason, right? SSO, SAML, just makes this easier. With SAML, you can ensure the user is safely and securely communicating with the Identity Provider.

One Identity Provider to Rule Them All

With one IdP in place, user's not only have a better user-experience (it also just looks more professional), less passwords to maintain and the application's get the benefit of (mostly) kicking the 'security' can down the street . Many Service Provider's can utilize one IdP. Have you ever clicked the 'Login with Gmail' or 'Login with Microsoft'? Those login buttons are in some form, utilizing Single Sign-On.

SAML helps the Service Provider

SAML allows the Service Provider (SP) to communicate with Identity Providers (IdPs) for the authentication and authorization process. The SP will get in return, the authenticated user's basic information (name, email) as well as additional 'claims' that all further authorization policies to be handled in the SP's application (Is this user in X group? If so, let them view all reports).

So, What's a SAML Provider?

It's a system/ service that helps the user to access the applications/services/data that they need. The most common SAML providers are Service Provider(SP) and Identity Provider(Idp).

• Service Provider: The system that provides some service to the user is called Service Provider (what the user is trying to access, eg. youtube, twitter, etc..).
• Identity Provider: The system that helps to identify and authenticate the user. It's in charge of sending the authentication response with user’s access rights (claims) for the service to the service provider.

What is a SAML Assertion?

A SAML Assertion is an XML document that contains information about the user and their associated permissions, the user identification, the time the user locked in, the authentication method that the user used, and almost anything else (if it's configured). The 'SAML Assertion' is sent by the IdP to the SP.

SSO & SLO SAML workflow

SAML helps to enable Single-Sign-On (SSO) and Single-log-out (SLO) from both Service provider and Identity Provider sides.

Service Provider Initiated Single-Sign-On (SSO) flow

• The user request for a service from the service provider.
• The service provider creates a login request(SAML request).
• The created message (payload which contains service provider name) passed through the User-agent (browser) from the service provider to the identity provider.
• Identity provider identifies the principals and authenticates with the user.
• After authentication, the identity provider sends the response message (SAML response) to the service provider through the User-agent. The response includes the authenticated user, requested attribute, etc.
• Based on the Identity provider response the service provider give the service to the end user (If authentication fails then it returns an error message and if the authentication success then it creates an application session).

Identity Provider Initiated Single-Sign-On (SSO) flow

How this works

• User directly call the identity provider endpoint with the service provider name.
• Identity provider identifies the principals and authenticates with the user.
• After identification, the identity provider sends the response message (SAML response) to the service provider through the User-agent. The response includes the authenticated user, requested attribute, etc.
• Based on the Identity provider response the service provider give the service to the end user (If authentication fails then it returns an error message and if the authentication success then it creates an application session)

Service Provider Initiated Single-log-out (SLO) flow

• Session participant (eg: salesforce) send the logout request (SAML request) with the session index(this session index comes from the IDP response in the Single-Sign-On flow).
• Using the session index, The identity provider identifies the available session participants that are logged-in with the same session index.
• The Identity provider sends the logout request (SAML request) to one of the available session participants.
• The Session participant sends back the logout response (SAML response) to the Identity Provider.
  • Note: The Step3 and Step4 are repeated until logged-out all the available session participants identified by the identity provider.
• Finally, the Identity Provider sends the logged out response (SAML response) to the original Session Participant.

Identity Provider Initiated Single-log-out (SLO) flow

• User directly call the identity provider endpoint with the session index.
• Using the session index, The identity provider identifies the available session participants that are logged-in with the same session index.
• The Identity provider sends the logout request (SAML request) to one of the available session participants.
• The Session participant sends back the logout response (SAML response) to the Identity Provider. Note: The Step 3 and Step 4 are repeated until logged-out all the available session participants identified by the identity provider.

I hope this has helped you gain a better grasp on what SAML actually is. It's nothing to shy away from! It's quite basic once you understand the process. The trick is to get your hands dirty and implement a SSO solution of your own. For this, I recommend KeyCloak (By RedHat).