What is SAML, why is it needed and how does it work? (Easy to understand)
- Does not ask for credentials again
- Encrypts the SAML messages with private keys using the latest SHA-2 encryption methods
- Validates requests and responses using certificates to make sure any third-parties and hackers do not compromise them.
- Specifies conditions to be met to log users in.
- Optionally encrypts custom attributes to increase security.
- A user browses to the IdP site
- He/she is asked for credentials and logs into the site
- He/she clicks on a link to go to a Service Provider (SP) site. If the IdP already determines the SP after he/she is logged in, the IdP may redirect the user to the SP automatically.
- The SP site validates the SAML request and logs the user in on the SP site
- A user browses to the SP site
- If he/she is not logged in, he/she will be redirected to the IdP site
- The IdP site validate the SAML message, look up for the user on the IdP system and log him/her in
- Then it sends back a successful response to the SP
- The SP then log the user in and allow him/her to use the service
Overview
SAML stands for The Security Assertion Markup Language standard. It's an open standard that enables users to log into applications once and stay logged in another context. It allows user credentials to be securely shared by multiple web applications on the Internet. In an enterprise's Active Directory or intranet, SAML enables the enterprise's applications to use that information to log users into other web-based applications.
The SAML SSO login standard is superior to logging in users using a simple username/password combination since it:
SAML is powerful, but the OASIS implementation documentation is lengthy, and it may take months to implement it in an application from the scratch that successfully covers all cases. You can use the Ultimate SAML library for ASP.NET, MVC, and Core to simplify the implementation. Thousands of developers have used it to power their apps to support OWIN authentication, ADFS Single Sign On, Azure ADFS, Salesforce, Outlook, Google, OAuth, standard and customized SAML interoperability.
There are mainly two types of providers defined in SAML specification:
Identity Provider (IdP)
It's a system that stores and manages user information. In SAML, IdP also provides authentication services to the relying service providers. An example of an IdP is an ADFS configured to be an Identity Provider in the ACS.
Service Provider (SP)
A Service Provider is a relying party that consumes the authentication SAML assertions from an IdP. A user is required to log in at an IdP first before he/she can access the resources on the relying SP sites.
SAML Assertion
An assertion is a package of data that consists of authentication, attributes, and authorization decision information. It's sent back from an IdP to an SP when a user is successfully logged in at the IdP. It might be encrypted with a private key that only the parties with the corresponding public key can decrypt it.
How SAML works
There are several types of SAML applications, and their flows are different:
Identity Provider Initiated
Service Provider Initiated
Shibboleth
It's an open source SSO package developed using C++ and Java. It is now maintained by Internet2 (http://shibboleth.internet2.edu/). A website using Shibboleth is, in fact, an SP-initiated application with similar SAML flow as described in the above section.