Skip to content Skip to navigation Skip to footer

Security Assertion Markup Language (SAML)

What is Security Assertion Markup Language (SAML)?

Security Assertion Markup Language (SAML) is a protocol that enables an identity provider (IdP) to send a user's credentials to a service provider (SP) to authenticate and authorize that user to access a service. SAML, pronounced "SAM-el," simplifies password management and the associated employee or customer identities within the enterprise. 

SAML uses Extensible Markup Language (XML), a set of rules for encoding documents, to standardize communications between various systems. SAML is approved by the OASIS Consortium, and version 2.0 has been in use since March 2005. 

SAML Enables Single Sign-On (SSO)

With SAML, organizations can allow their employees to use Single Sign-On (SSO). This means users can log in to a service once, and then use those same credentials to log in to other services or applications. 

SAML is an umbrella standard that covers federation—the linking of a person's electronic identity and attributes that might be stored across several different identity management systems—and SSO. This is helpful for enterprises because with SSO in place, employees rely on fewer passwords to gain access to the network and services they need to do their jobs. Further, with fewer passwords, identity management systems set up and managed by IT teams hold fewer passwords.

How Does SAML Authorization Work?

SAML providers help users access services, usually software and data, that they need to do their job. SAML can also be used for customers who have to be authenticated and authorized to access their information. For example, an online banking customer needs to not only be authenticated to enter the system but also be authorized to access his or her banking information. 

SAML functions by passing user attributes or credentials between the IdP and the SP. Each user logs in once to sign on with the IdP, then the IdP passes the SAML attributes to the SP at the moment the user attempts to access that service. The SP requests the authorization and authentication from the IdP. This process occurs seamlessly because both the IdP and the SP speak the same language—SAML—requiring the user to only log in once. SAML needs to be configured exactly for both the IdP and the SP for the SAML authentication to work properly. 

Let us have a closer look at these two types of SAML providers.

Understand how SAML Authorization Works

Identity Provider (IdP)

An IdP performs the authentication to verify that the user is indeed who they say they are and sends that data to the SP. 

Service Provider (SP)

An SP—usually a Software-as-a-Service (SaaS) application, password-protected website, or specialized online service—needs authentication from the IdP to grant authorization to the user.

SAML Assertion

A SAML assertion is a message that tells an SP whether a user is signed in or not. SAML assertions contain all the relevant information for the SP to confirm user identity, including the time of issue and any special conditions that make the assertion valid. 

Here is a step-by-step example of how SAML would work in the enterprise:

  1. At the beginning of the work day, John logs in to SSO via the identity and access management (IAM) system provided by his company.
  2. John then visits the webpage for the hosted email provider his company uses. (In this example, the email provider is an SP.)
  3. The email provider checks John’s credentials with the IAM provider.
  4. The IdP lets the email provider know that John is authenticated and has the authorization to use the email provider's platform.
  5. John can now use the email provider for work.

4 Basic Components of SAML Framework

The four basic components of the SAML framework include protocol, bindings, profiles, and flows.

Protocol

Security Assertion Markup Language (SAML) uses hypertext transfer protocol secure (HTTPS) as well as simple object access protocol (SOAP), which are both technologies used for transferring information over the internet. Because both of these protocols allow for secure connections, they enhance the security of the SAML framework.

Bindings

Bindings dictate how the transfer protocol, such as either HTTPS or SOAP, mentioned above, transmits protocol messages. For HTTP, SAML uses HTTP Redirect Binding, and for SOAP, SAML uses SOAP binding.

Profils

Profiles are used within SAML to combine bindings, SAML messages, and protocols into a bundle that can be used by an application that uses SAML. You can think of profiles as organized packages that enable your SAML system to work with specific applications.

Flows

The flow of a SAML describes how information moves within the SAML framework. As described above, SAML functions by transferring user attributes or credentials between the IdP and the SP. Therefore, there are two different kinds of flows, those initiated by the IdP and those started by the SP. If a flow starts with one party, it is then redirected by the SAML framework to the other party.

Business Benefits of SAML

Businesses can experience the following benefits of SAML:

  1. Users don’t have to use as many passwords
  2. You can eliminate the need to manage user credentials from external users
  3. SAML gives you the ability to add multi-factor authentication for specific groups of users
  4. You can custom-design and enforce your own password policies

By leveraging these advantages, a business can greatly enhance its security posture, particularly when it comes to controlling access to its most sensitive cloud or hybrid cloud resources. For example, if there’s a part of your network that you only want a certain group of users to be able to access, you can use SAML to set up access controls for that team only.

For instance, suppose you want the HR team to be able to access a database containing employee Social Security numbers. With SAML, you can make sure that only those people can get into that database, thereby protecting that sensitive data. Then, if HR hires someone else, you can grant that person access as well.

How SAML Differs from OAuth

Social networks requiring account creation led to the need for a lightweight yet secure way for users to maintain their account credentials but also reuse those credentials to sign in to additional networks. 

OAuth, an authorization standard or protocol, was co-developed by Google and Twitter to allow consumers a more streamlined way to log in to different internet sites. OAuth is similar to SAML, however, SAML is more suited for enterprises because it provides more control and security for SSO logins than OAuth. OAuth is known for offering bare minimum access once a user is verified, also known as access scoping.

When you want to create an account with a new SaaS or online service, you might see the ability to "Sign in with Google" or "Sign in with Facebook" rather than create an account with the typical username and password. That SaaS vendor or website relies on OAuth technologies to facilitate account creation and user adoption.

SAML vs. LDAP

The basic idea behind SAML and Lightweight Directory Access Protocol (LDAP) is the same: They both give you the ability to enable secure user authentication. However, there are some differences.

For example, LDAP was designed to authenticate users on-site, such as in a physical office. But SAML was made to enable authentication over the cloud using cloud-based applications and servers.

Because LDAP is designed for on-premise use, it also requires a physical installation at your office. This can make it a more cumbersome and less convenient solution for some IT teams. SAML may be a better solution if you want to ensure secure authentication practices for your cloud-based assets.

Why Identity Management is Important

An IAM system provides security because it keeps track of employee activity. IAM tracks employees not only as they enter the network via devices but also as they engage and interact with applications and systems. 

Knowing that employees can access the network but reducing their access to job-specific applications to ensure productivity also reduces the possibility of a security breach. Limiting access to certain applications and data using role-based protocols diminishes the chances of a cyberattacker using brute force to compromise all employees' credentials. If the attacker knows that not everyone has access, then they might reconsider a large-scale attack. 

For advanced visibility of all devices in a network, including Internet-of-Things (IoT) devices, network access control (NAC) provides awareness of all inventory as they enter and connect to the network. NAC goes a step further and can shut off access if the system suspects unauthorized usage.

IT professionals can also use the IAM system to detect any unusual user activity—for example, an extraordinary number of sign-ons in a short time, all in a single remote location. Or the reverse, no sign-ons at all. Rather than wait for employees to bring any issues to IT, the IAM system can track suspicious activity so that the IT team can take action if needed.

Enterprises can benefit from standardization or the use of industry-accepted protocols to enable a more open approach to architecture and identity federation. This reduces the need for the enterprise to invest in engineering and development to create custom IAM solutions. With open architecture and managed identities, employees can access vital SaaS or cloud-based applications seamlessly and securely.

Further, adopting the zero-trust network security model reduces the complexity of an organization's technology stack. The zero-trust model relies on the idea that no one inside or outside the network should be trusted unless their identification has been verified. Zero trust can be carried out with a robust IAM system in place.

Further, SAML authentication improves security by ensuring user credentials never leave the boundary of the firewall. Firewalls defend a network from traffic stemming from environments presumed to be less secure or of unknown security. To gain access to the secure environment, employees or customers must be authenticated before being authorized to utilize resources, including both hardware and software. Firewalls essentially prevent unauthorized users, devices, and applications from entering a protected network.

How Fortinet Can Help?

The Fortinet IAM solutions offer SAML capabilities for enterprises. Managing authentication and authorization for all systems, including devices, servers, and cloud applications, is a crucial step in managing user-device connectivity—and ultimately, in mitigating security breaches. 

The Fortinet IAM tool delivers a suite of products and services that securely confirm the identities of users and devices as they enter and interact with the network.