Security Assertion Markup Language (SAML)
What is Security Assertion Markup Language (SAML)?
Security Assertion Markup Language (SAML) is a protocol that enables an identity provider (IdP) to send a user's credentials to a service provider (SP) to authenticate and authorize that user to access a service. SAML, pronounced "SAM-el," simplifies password management and the associated employee or customer identities within the enterprise.
SAML uses Extensible Markup Language (XML), a set of rules for encoding documents, to standardize communications between various systems. SAML is approved by the OASIS Consortium, and version 2.0 has been in use since March 2005.
SAML Enables Single Sign-On (SSO)
With SAML, organizations can allow their employees to use Single Sign-On (SSO). This means users can log in to a service once, and then use those same credentials to log in to other services or applications.
SAML is an umbrella standard that covers federation—the linking of a person's electronic identity and attributes that might be stored across several different identity management systems—and SSO. This is helpful for enterprises because with SSO in place, employees rely on fewer passwords to gain access to the network and services they need to do their jobs. Further, with fewer passwords, identity management systems set up and managed by IT teams hold fewer passwords.
How Does SAML Authorization Work?
SAML providers help users access services, usually software and data, that they need to do their job. SAML can also be used for customers who have to be authenticated and authorized to access their information. For example, an online banking customer needs to not only be authenticated to enter the system but also be authorized to access his or her banking information.
SAML functions by passing user attributes or credentials between the IdP and the SP. Each user logs in once to sign on with the IdP, then the IdP passes the SAML attributes to the SP at the moment the user attempts to access that service. The SP requests the authorization and authentication from the IdP. This process occurs seamlessly because both the IdP and the SP speak the same language—SAML—requiring the user to only log in once. SAML needs to be configured exactly for both the IdP and the SP for the SAML authentication to work properly.
Let us have a closer look at these two types of SAML providers.
Identity Provider (IdP)
An IdP performs the authentication to verify that the user is indeed who they say they are and sends that data to the SP.
Service Provider (SP)
An SP—usually a Software-as-a-Service (SaaS) application, password-protected website, or specialized online service—needs authentication from the IdP to grant authorization to the user.
A SAML assertion is a message that tells an SP whether a user is signed in or not. SAML assertions contain all the relevant information for the SP to confirm user identity, including the time of issue and any special conditions that make the assertion valid.
Here is a step-by-step example of how SAML would work in the enterprise:
- At the beginning of the work day, John logs in to SSO via the identity and access management (IAM) system provided by his company.
- John then visits the webpage for the hosted email provider his company uses. (In this example, the email provider is an SP.)
- The email provider checks John’s credentials with the IAM provider.
- The IdP lets the email provider know that John is authenticated and has the authorization to use the email provider's platform.
- John can now use the email provider for work.
How SAML Differs from OAuth
Social networks requiring account creation led to the need for a lightweight yet secure way for users to maintain their account credentials but also reuse those credentials to sign in to additional networks.
OAuth, an authorization standard or protocol, was co-developed by Google and Twitter to allow consumers a more streamlined way to log in to different internet sites. OAuth is similar to SAML, however, SAML is more suited for enterprises because it provides more control and security for SSO logins than OAuth. OAuth is known for offering bare minimum access once a user is verified, also known as access scoping.
When you want to create an account with a new SaaS or online service, you might see the ability to "Sign in with Google" or "Sign in with Facebook" rather than create an account with the typical username and password. That SaaS vendor or website relies on OAuth technologies to facilitate account creation and user adoption.
Why Identity Management is Important
An IAM system provides security because it keeps track of employee activity. IAM tracks employees not only as they enter the network via devices but also as they engage and interact with applications and systems.
Knowing that employees can access the network but reducing their access to job-specific applications to ensure productivity also reduces the possibility of a security breach. Limiting access to certain applications and data using role-based protocols diminishes the chances of a cyberattacker using brute force to compromise all employees' credentials. If the attacker knows that not everyone has access, then they might reconsider a large-scale attack.
For advanced visibility of all devices in a network, including Internet-of-Things (IoT) devices, network access control (NAC) provides awareness of all inventory as they enter and connect to the network. NAC goes a step further and can shut off access if the system suspects unauthorized usage.
IT professionals can also use the IAM system to detect any unusual user activity—for example, an extraordinary number of sign-ons in a short time, all in a single remote location. Or the reverse, no sign-ons at all. Rather than wait for employees to bring any issues to IT, the IAM system can track suspicious activity so that the IT team can take action if needed.
Enterprises can benefit from standardization or the use of industry-accepted protocols to enable a more open approach to architecture and identity federation. This reduces the need for the enterprise to invest in engineering and development to create custom IAM solutions. With open architecture and managed identities, employees can access vital SaaS or cloud-based applications seamlessly and securely.
Further, adopting the zero-trust network security model reduces the complexity of an organization's technology stack. The zero-trust model relies on the idea that no one inside or outside the network should be trusted unless their identification has been verified. Zero trust can be carried out with a robust IAM system in place.
Further, SAML authentication improves security by ensuring user credentials never leave the boundary of the firewall. Firewalls defend a network from traffic stemming from environments presumed to be less secure or of unknown security. To gain access to the secure environment, employees or customers must be authenticated before being authorized to utilize resources, including both hardware and software. Firewalls essentially prevent unauthorized users, devices, and applications from entering a protected network.
How Fortinet Can Help?
The Fortinet IAM solutions offer SAML capabilities for enterprises. Managing authentication and authorization for all systems, including devices, servers, and cloud applications, is a crucial step in managing user-device connectivity—and ultimately, in mitigating security breaches.
The Fortinet IAM tool delivers a suite of products and services that securely confirm the identities of users and devices as they enter and interact with the network.