What is SAML, why is it needed and how does it work? (Easy to understand)

Overview

SAML stands for The Security Assertion Markup Language standard. It's an open standard that allows users to log into applications once and stay logged in another context. It allows user credentials to be securely shared by multiple web applications on the Internet. In an enterprise's Active Directory or intranet, SAML enables the enterprise's applications to use that information to log users into other web-based applications.

Single Sign-on Identity and Service Provider flows

The SAML SSO login standard is superior to logging in users using simple username/password combination since it:

  • Does not ask for credentials again
  • Encrypts the SAML messages with private keys using latest SHA-2 encryption methods
  • Validates requests and responses using certificates to make sure they are not compromised by any third-parties and hackers.
  • Specifies conditions to be met in order to log users in.
  • Optionally encrypts custom attributes to increase security.

SAML is powerful, but the OASIS implementation documentation is lengthy and it may take months to implement it in an application from the scratch that successfully covers all cases. You can use the Ultimate SAML library for ASP.NET, MVC, and Core to simplify the implementation. It has been used by thousands of developers.

There are mainly two types of providers defined in SAML specification:

Identity Provider (IdP)

It's a system that stores and manages user information. In SAML, IdP also provides authentication services to the relying service providers. An example of an IdP is an ADFS configured to be an Identity Provider in the ACS.

Service Provider (SP)

A Service Provider is a relying party that consumes the authentication SAML assertions from an IdP. A user is required to log in at an IdP first before he/she can access the resources on the relying SP sites.

SAML Assertion

An assertion is a package of data that consists of authentication, attributes, and authorization decision information. It's sent back from an IdP to an SP when a user is successfully logged in at the IdP. It might be encrypted with a private key that only the parties with the corresponding public key can decrypt it.

How SAML works

There are several types of SAML applications and their flows are different:

Identity Provider Initiated

Idp-initiated flow

  • A user browses to the IdP site
  • He/she is asked for credentials and logs into the site
  • He/she clicks on a link to go to a Service Provider (SP) site. If the SP is already determined by the IdP after he/she is logged in, the IdP may redirect the user to the SP automatically.
  • The SP site validates the SAML request and logs the user in on the SP site

Service Provider Initiated

Sp-initiated flow

  • A user browses to the SP site
  • If he/she is not logged in, he/she will be redirected to the IdP site
  • The IdP site validate the SAML message, look up for the user on the IdP system and log him/her in
  • Then it sends back a successful response to the SP
  • The SP then log the user in and allow him/her to use the service

Shibboleth

It's an open source SSO package developed using C++ and Java. It is now maintained by Internet2 (http://shibboleth.internet2.edu/). A website using Shibboleth is, in fact, an SP-initiated application with similar SAML flow as described in the above section.

45-Day Money Back Guarantee

We will refund your full money in 45 days
if you are not satisfied with our products

Buy Now

Dont miss out Get update on new articles and other opportunities