2. SAML Enables Internet Single Sign-On (SSO) Connections SAML's primary use case is to enable Internet Single Sign-On connections that grant users direct access to the applications or services they access over the Internet. Instead of maintaining separate logins and passwords for each Internet application used, users authenticate once (using their organization’s identity management system—the “single sign on”), and then they have one-click access to all of their Internet SSO-enabled applications without the need to sign in again.
3. SAML Identity-Enables Web Services Web Services applications allow application functionality to be distributed across the Internet, facilitating the outsourcing of individual application components. For example, an application can call on hundreds of Web Services that provide a variety of services such as live weather forecasts, stock quotes, eCommerce functions, and other B2B functions.
PingFederate provides a key component required to Identity-Enable Web Services: a WS-Trust Security Token Service (STS). On the client side, which can be a Web or rich desktop application, the STS converts the user’s local identity (called a local security token) into a standard SAML security token that contains the user's identity and can be easily shared with Web Services provider applications. On the provider side, the STS validates security tokens, retrieves information from the SAMl assertion and can generate a new local token for consumption by other applications.
4. SAML Increases Security SAML negates the need for passwords. Because the user is authenticated by their organization’s identity system and a trust relationship is created between the user’s organization the the service provider, no additional passwords are required by SSO-enabled applications—the user’s password never crosses the organizational firewall..The SAML assertion that is created contains all of the information required by the application to make access decisions, such as the user’s name and application access level. SAML assertions are encrypted and signed by the issuing organization, and only the receiving organization can decrypt the contents.
The removal of passwords from Internet applications can be a key advantage in terms of regulatory compliance. Many regulations, including Sarbanes-Oxley and HIPAA, have specific requirements around password policies. Failure to meet these requirements can result in compliance audit problems. SAML completely eliminates this problem by eliminating the root of the problem: passwords.
5. SAML is Reusable Unlike proprietary approaches, which are typically deployed as one-off connections, SAML connections are easily reusable. Identity Providers (IdPs) can use the same product to support multiple Service Provider connections, such as Software-as-a-Service (SaaS) or Business Process Outsourcing (BPO) Service Providers (SPs). SPs, such as SaaS Vendors, can use the same SAML product to support multiple customers.
6. SAML-based Internet Single Sign-On Saves Money Ping Identity solicited feedback from its 350 customers to quantify how SAML-based Internet SSO affects the bottom line of their organizations. From that research, a list of consistent business values emerged, including:
- Cost savings by reducing password reset costs and help desk calls
- Increased IT and end-user productivity allows organizations to do more with less
- Fast time-to-value, low total cost of ownership and rapid time-to-payback for Internet Identity projects
- Increased user adoption rate increases the ROI for outsourced applications
- Reduced risk of phishing attacks, identity theft, and compliance audit failures
- And many others
A more detailed presentation from Ping Identity on the Business Value of Internet SSO is available to download in archived webcast form.
7. There are Three Versions of SAML, and All are Used Today There are three versions of SAML: 1.0, 1.1, and 2.0, and the 1.x versions are incompatible with 2.0. SAML 1.0 was released in 2002, SAML 1.1 in 2003, and SAML 2.0 in 2005, and they are all in use by organizations across the world. When choosing an Internet Identity solution, you should choose one that supports all versions of SAML plus an additional standard supported by some organizations, known as WS-Federation.
8. SAML Helps with Compliance & Zombie Account Problems Complying with government regulations like HIPPA, Sarbanes-Oxley (SOX), Gramm-Leach-Bliley and EU Directive 95/46/EC is a daunting task even before you consider the implications of Cloud Computing. One of Ping Identity’s manufacturing customers recently hired a respected audit firm to review their SOX compliance levels. What the auditor discovered was a vast graveyard of “Zombie” accounts. Zombie accounts are still-active user accounts of employees no longer with the organization. Not only did this violate SOX regulations, but it left the company vulnerable to significant data loss.
The company quickly addressed their Zombie account problem with SAML-based PingFederate, satisfying their SOX auditing problem. PingFederate automates Software-as-a-Service user account management by replicating corporate directory changes to remote SaaS directories, eliminating Zombie accounts while reducing SaaS administrative overhead.
9. SAML Increases User Adoption of SaaS Applications Passwords are a security barrier to prevent unwanted access to valuable data and resources. Unfortunately, passwords are also a barrier to the users that will benefit from the application. Most SaaS applications require a “critical mass” of user adoption before a viable return on investment is attained.
One example is online travel booking. In order to save costs over “offline” travel bookings, consumer packaged goods manufacturer ConAgra offered an online travel booking alternative to its 11,000 employees, as the online option saved the company a considerable amount of money. Unfortunately, after the initial rollout, only 11% of company travel bookings were using this cost-saving alternative.
ConAgra identified user experience as a key reason for the low adoption rate. ConAgra decided to deploy SAML-enabled Rearden Commerce’s travel solution, which enabled ConAgra’s users to access the service without a separate sign on. Without the password barrier, ConAgra's adoption rate increased to 81% and the average price of travel bookings decreased 11%, potentially saving the company hundreds of thousands of dollars per year in travel expenses. In addition to increasing application adoption rate, Single Sign-On also increases employee productivity by eliminating repeated application logins and password resets.
10. PingFederate Makes SAML Easy In the past, deploying SAML using either open source libraries or identity stack vendor products was difficult, time consuming, expensive and had questionable security. Ping Identity’s Internet Identity products specialize in making the deployment of SAML solutions quick and easy.
PingFederate, our on-premise solution, often deploys in five days or less, and the vast majority of deployments are completed in under 30 days. PingConnect, our on-demand hosted offering, can be deployed in hours. Join Ping Identity’s 300+ customers, including 40 of the Fortune 100, and discover just how easy, quick and cost effective deploying SAML can be in your organization.
SAML 2.0 Tutorial
Download a step-by-step tutorial video of how SAML 2.0 works.
