What is SAML?
The SAML protocol, or “Security Assertion Markup Language” as it’s less commonly known, is one of the most common web protocols around, used by almost all internet users on a daily basis for easily logging on to websites and online services.
The protocol was first released by the Organization for the Advancement of Structured Information Standards (OASIS) in 2002. Until then, most businesses depended on local, “on-premises” systems and applications. The online aspect of doing business was mostly limited to sending and receiving emails, reading news, and researching databases. But then web-based applications started to emerge, offering lightweight and cheap software to anyone, everywhere. And organizations were obviously happy to adopt these massively impactful tools for productivity and collaboration which until then were only in the reach of large and rich enterprises.
But in order to allow employees to use the new tools, administrators had to make sure online services can recognize their users in a secure, scalable and manageable way. With most companies then (and arguably now as well) using Active Directory as their identity and access management solution, admins needed a universal solution to connect their domain to the world wide web.
The solution was SAML – a universal protocol intended to close the gap between the local domain and any web service that needs to know users’ identities or organizational associations.
The Benefits of SAML
Today SAML allows for easy and fast login to almost all web and cloud service and is supported by all identity providers and access management systems. In most cases nowadays, this is done by using a Single Sign-On (SSO) scheme that requires a single authentication by the user to access all connected services. This standard has significant advantages over logging in with a username and password to each service separately as each additional password adds friction to users’ journeys and puts them at greater risk of being hacked or simply forgetting their passwords.
Thanks to SAML there’s no need to type in credentials at every login, remember and renew passwords on a regular basis or being tempted to use weak or repeating passwords.
Most organizations manage very well their users identities because they are logged in to their Active Directory domain or intranet, even from afar, and so supplying SSOs using SAML saves time, money and risk for all parties.
How Does it Work?
SAML is an open standard, which means it’s available to anyone for research or implementation. It is an XML-based framework that exchanges digitally signed XML files between the identity provider and the accessed service.
Once users are logged into their identity provider, SAML gives them the ability to easily enter any supporting service without further authentication. The application typically identifies the relevant IdP based on a subdomain, IP address or similar factor, and redirects the session to the IdP requesting authentication approval. The identity provider then builds an authentication response – an XML document containing the users identifying data – and signs it using an X.509 certificate. This response is then sent back to the requesting service provider, which only needs to verify the authenticity of the IdP certificate (by checking the IdP certificate fingerprint) and from that point, the user’s identity is established.
SAML makes single sign-on possible for consumers and employees alike, streamlining authentication for most web-based use cases.