a good thing!
SAML 2.0: How It Works
What is SAML?
Security Assertion Markup Language (SAML) is an open standard that enables single sign-on (SSO). By making a range of resources accessible with just one set of login credentials, you can provide seamless access to resources and eliminate insecure password proliferation.
SAML specifically enables identity federation, making it possible for identity providers (IdPs) to seamlessly and securely pass authenticated identities and their attributes to service providers (SPs). SAML holds the dominant position in terms of industry acceptance for federated identity deployments. Not only has it been deployed in hundreds of thousands of cloud SSO connections, but thousands of large enterprises, government agencies and service providers have also selected SAML as their standard protocol for communicating identities across the internet.
Benefits of SAML Authentication
SAML is XML based, which makes it extremely flexible. Two federation partners can choose to share whatever identity attributes they want in a SAML assertion (aka message) payload as long as those attributes can be represented in XML. This flexibility led to pieces of the SAML standard, such as the SAML assertion format, being incorporated into other standards including WS-Federation.
Interoperability also gives SAML a huge advantage over proprietary SSO mechanisms. For an enterprise, proprietary SSO means each new connection potentially requires a new and different software implementation or proprietary integration connectors. With SAML, a single implementation can support SSO connections with many different federation partners. Some large organizations, particularly those who have already gone through the pain of supporting multiple proprietary SSO implementations, now require the use of SAML for internet SSO with identity as a service (IDaaS) applications and other external service providers.
The Kantara Initiative established a very successful interoperability testing program where SAML vendors prove out-of-the-box interoperability with other SAML implementations. Ping’s own enterprise federation server, PingFederate, has been extensively tested for interoperability against a number of other SAML implementations, both in formal interop testing and through many years of real world usage by some of the world’s largest companies A certified product can mean the difference between a simple two-hour configuration and testing exercise vs. a multi-month distributed debugging nightmare.
How SAML Authentication Works
Enterprise SAML identity federation use cases generally revolve around sharing identity between an existing identity and access management (IAM) system and web applications. There are two actors in the SAML scenario, the Identity Provider (IdP) who “asserts” the identity of the user and the Service Provider (SP) who consumes the “assertion” and passes the identity information to the application. The interaction between the IAM system and the federation server is called “first mile” integration, while the interaction between the federation server and the application is called “last mile” integration.
SAML Tutorial
For a helpful overview of how SAML works, watch this short SAML tutorial:
SAML Examples
There are two common usage scenarios for SAML. The first is IdP-initiated SSO, and the second is SP-initiated SSO.
IdP-initiated SSO is commonly found in workforce SSO solutions, such as PingOne for Enterprise. In this scenario, users first log in to the system, which presents an application catalog. This catalog will contain visual icons of all the internal and external applications that the company has configured SSO for and that the user has privileges to access.
The most frequently used applications are typically sorted to the top for quick access. Here’s what this looks like in PingOne for Enterprise:
When the user clicks on one of the images, the SAML flow is as follows:
Once the SP has received the SAML assertion, it validates the signature using the public key in order to ensure the SAML assertion really came from its trusted IdP and that none of the values in the assertion have been modified. The SP can then extract the identity of the user from the SAML assertion along with any other attributes it needs. At this point, the user is on the service provider’s landing page, just as though they had logged into the site manually.
This diagram illustrates the steps in an IdP-initiated SSO flow with SAML:
SP-initiated SSO starts when a user tries to access a resource at the service provider, but hasn’t yet authenticated to the SP. A user may have gone directly to the website or may have saved a link to a specific resource at the SP. Once the SP sees that the user doesn’t have an active session, it will redirect them to the IdP to be authenticated. The IdP will authenticate the user, create the assertion and redirect the user back to the SP just as in the IdP-initiated use case, with the addition that it will also send back the URL of the resource that the user was initially trying to access, if it was provided by the SP.
You may be wondering how the SP knows which IdP to redirect the user to if it supports SSO from more than a single IdP. The answer is that it depends. A few common ways the SP can determine which IDP to redirect the user to are:
Once the SP has received the SAML assertion, it validates the signature using the public key in order to ensure the SAML assertion really came from its trusted IdP and that none of the values in the assertion have been modified. The SP can then extract the identity of the user from the SAML assertion along with any other attributes it needs. At this point, the user is on the service provider’s landing page, just as though they had logged into the site manually.
This diagram illustrates the steps in an SP-initiated SSO flow with SAML:
Standards like SAML are necessary for implementing scalable, secure federated identity across organizations. To learn more about identity federation, typical SAML use cases, and how SAML integrates with other federation protocols, get the white paper.
Get an introduction to OAuth 2.0 and learn about tokens, standards and use cases.
Learn how the Ping Intelligent Identity platform supports identity federation using open standards.
Learn what you need to know about Security Assertion Markup Language (SAML) in the tutorial video.
Take the Next Step
See how Ping can help you stay ahead of the curve in a rapidly evolving digital world.
Thank you! Keep an eye on your inbox. We’ll be in touch soon.