Security Assertion Markup Language (SAML)
What is Security Assertion Markup Language (SAML)?
Security Assertion Markup Language (SAML) is a protocol that enables an identity provider (IdP) to send a user's credentials to a service provider (SP) to authenticate and authorize that user to access a service. SAML, pronounced "SAM-el," simplifies password management and the associated employee or customer identities within the enterprise.
SAML uses Extensible Markup Language (XML), a set of rules for encoding documents, to standardize communications between various systems. SAML is approved by the OASIS Consortium, and version 2.0 has been in use since March 2005.
SAML Enables Single Sign-On (SSO)
With SAML, organizations can allow their employees to use Single Sign-On (SSO). This means users can log in to a service once, and then use those same credentials to log in to other services or applications.
SAML is an umbrella standard that covers federation—the linking of a person's electronic identity and attributes that might be stored across several different identity management systems—and SSO. This is helpful for enterprises because with SSO in place, employees rely on fewer passwords to gain access to the network and services they need to do their jobs. Further, with fewer passwords, identity management systems set up and managed by IT teams hold fewer passwords.
How Does SAML Authentication Work?
SAML providers help users access services, usually software and data, that they need to do their job. SAML can also be used for customers who have to be authenticated and authorized to access their information. For example, an online banking customer needs to not only be authenticated to enter the system but also be authorized to access his or her banking information.
SAML functions by passing user attributes or credentials between the IdP and the SP. Each user logs in once to sign on with the IdP, then the IdP passes the SAML attributes to the SP at the moment the user attempts to access that service. The SP requests the authorization and authentication from the IdP. This process occurs seamlessly because both the IdP and the SP speak the same language—SAML—requiring the user to only log in once. SAML needs to be configured exactly for both the IdP and the SP for the SAML authentication to work properly.
Let us have a closer look at these two types of SAML providers.
Identity Provider (IdP)
An IdP performs the authentication to verify that the user is indeed who they say they are and sends that data to the SP.
Service Provider (SP)
An SP—usually a Software-as-a-Service (SaaS) application, password-protected website, or specialized online service—needs authentication from the IdP to grant authorization to the user.
A SAML assertion is a message that tells an SP whether a user is signed in or not. SAML assertions contain all the relevant information for the SP to confirm user identity, including the time of issue and any special conditions that make the assertion valid.
Here is a step-by-step example of how SAML would work in the enterprise:
- At the beginning of the work day, John logs in to SSO via the identity and access management (IAM) system provided by his company.
- John then visits the webpage for the hosted email provider his company uses. (In this example, the email provider is an SP.)
- The email provider checks John’s credentials with the IAM provider.
- The IdP lets the email provider know that John is authenticated and has the authorization to use the email provider's platform.
- John can now use the email provider for work.
The four basic components of the SAML framework include protocol, bindings, profiles, and flows.
Protocols enable an authentication assertion—and other data—to be transported through a secure connection. Protocols are the languages of the internet in that they allow different systems to talk to each other, including those sending SAML assertions to help users gain access to services.
Bindings refer to the infrastructure of SAML messages that enables them to be sent using your service provider's (SP) networking protocols. Bindings are used to transfer a SAML request or SAML response that contains information about users during the authentication and authorization phase.
Profiles combine SAML protocols, assertions, and bindings to make it easier for the system to connect users. By keeping all of this data in a profile, it’s more readily available for those working with SAML to enable authenticated users to access services.
What is SAML 2.0?
Security Assertion Markup Language (SAML) 2.0 replaces SAML 1.1. It is an open standard used to define an XML framework for transmitting authorization and authentication data between a Service Provider (SP) and an identity provider IdP. SAML protocol is used to enable identity federation and single sign-on SSO services.
In other words, SAML 2.0 performs the same basic function as SAML 1.1: Enable users to sign on to different services with identity credentials they use to access other services, such as Facebook and Google.
SAML as an online login tool brings up the conversation of SAML vs. LDAP. While using a web browser, SAML authentication allows users to access online services without having to undergo a unique authentication request for that service. The SSO service redirects the user to a portal where another system's credentials—like Google's—verify the user's identity.
How SAML Differs from OAuth
Social networks requiring account creation led to the need for a lightweight yet secure way for users to maintain their account credentials but also reuse those credentials to sign in to additional networks.
OAuth, an authorization standard or protocol, was co-developed by Google and Twitter to allow consumers a more streamlined way to log in to different internet sites. OAuth is similar to SAML, however, SAML is more suited for enterprises because it provides more control and security for SSO logins than OAuth. OAuth is known for offering bare minimum access once a user is verified, also known as access scoping.
When you want to create an account with a new SaaS or online service, you might see the ability to "Sign in with Google" or "Sign in with Facebook" rather than create an account with the typical username and password. That SaaS vendor or website relies on OAuth technologies to facilitate account creation and user adoption.
SAML vs. LDAP
The basic idea behind SAML and Lightweight Directory Access Protocol (LDAP) is the same: They both give you the ability to enable secure user authentication. However, there are some differences.
For example, LDAP was designed to authenticate users on-site, such as in a physical office. But SAML was made to enable authentication over the cloud using cloud-based applications and servers.
Because LDAP is designed for on-premise use, it also requires a physical installation at your office. This can make it a more cumbersome and less convenient solution for some IT teams. SAML may be a better solution if you want to ensure secure authentication practices for your cloud-based assets.
Why Identity Management is Important
An IAM system provides security because it keeps track of employee activity. IAM tracks employees not only as they enter the network via devices but also as they engage and interact with applications and systems.
Knowing that employees can access the network but reducing their access to job-specific applications to ensure productivity also reduces the possibility of a security breach. Limiting access to certain applications and data using role-based protocols diminishes the chances of a cyberattacker using brute force to compromise all employees' credentials. If the attacker knows that not everyone has access, then they might reconsider a large-scale attack.
For advanced visibility of all devices in a network, including Internet-of-Things (IoT) devices, network access control (NAC) provides awareness of all inventory as they enter and connect to the network. NAC goes a step further and can shut off access if the system suspects unauthorized usage.
IT professionals can also use the IAM system to detect any unusual user activity—for example, an extraordinary number of sign-ons in a short time, all in a single remote location. Or the reverse, no sign-ons at all. Rather than wait for employees to bring any issues to IT, the IAM system can track suspicious activity so that the IT team can take action if needed.
Enterprises can benefit from standardization or the use of industry-accepted protocols to enable a more open approach to architecture and identity federation. This reduces the need for the enterprise to invest in engineering and development to create custom IAM solutions. With open architecture and managed identities, employees can access vital SaaS or cloud-based applications seamlessly and securely.
Further, adopting the zero-trust network security model reduces the complexity of an organization's technology stack. The zero-trust model relies on the idea that no one inside or outside the network should be trusted unless their identification has been verified. Zero trust can be carried out with a robust IAM system in place.
Further, SAML authentication improves security by ensuring user credentials never leave the boundary of the firewall. Firewalls defend a network from traffic stemming from environments presumed to be less secure or of unknown security. To gain access to the secure environment, employees or customers must be authenticated before being authorized to utilize resources, including both hardware and software. Firewalls essentially prevent unauthorized users, devices, and applications from entering a protected network.
Business Benefits of SAML
SAML benefits businesses because it makes it easier for people to connect with services they need, particularly those of your organization. Here are some of the most significant advantages organizations get by using SAML:
- A better user experience: You may remember what it was like logging in before SAML simplified the process. You probably had dozens of passwords and worried about someone finding where you had written them down. Plus, typing out each password on your phone and making mistakes is frustrating. Thankfully, SAML makes it easier for customers to sign in and shaves several crucial seconds off the authentication process.
- Tighter security: Identity providers make it their business to enable secure connections. Your business then benefits from the identity providers' efforts if it uses a SAML-based SSO process.
- A platform-agnostic solution: Because SAML decouples your security from a vendor’s system or specific platform structures, users can log in regardless of the system they’re using or your application structure. This lets you welcome more users without having to adjust your security system.
- Lower costs: With SAML, your service provider handles account administration. You don’t have to invest time, money, or resources to make sure it remains secure.
- Less risk for your business: The service provider handles storing sensitive user login information, which reduces the risk of a breach revealing user access credentials.
- Interoperability: SAML is an open standard, so it can work well with a diverse range of systems, making it a flexible solution for your business.
How Fortinet Can Help
FortiTrust Identity (FTI) integrates with the Fortinet Security Fabric and gives you a range of security controls, enabling you to manage user authentications from a centralized location. With FTI, you can use multi-factor authentication, go passwordless, and enable SSO functions.