Security Assertion Markup Language (SAML)

Security Assertion Markup Language (SAML) is a protocol that enables an identity provider (IdP) to send a user's credentials to a service provider (SP) to authenticate and authorize that user to access a service. SAML, pronounced "SAM-el," simplifies password management and the associated employee or customer identities within the enterprise. 

SAML uses Extensible Markup Language (XML), a set of rules for encoding documents, to standardize communications between various systems. SAML is approved by the OASIS Consortium, and version 2.0 has been in use since March 2005. 

With SAML, organizations can allow their employees to use Single Sign-On (SSO). This means users can log in to a service once, and then use those same credentials to log in to other services or applications. 

SAML is an umbrella standard that covers federation—the linking of a person's electronic identity and attributes that might be stored across several different identity management systems—and SSO. This is helpful for enterprises because with SSO in place, employees rely on fewer passwords to gain access to the network and services they need to do their jobs. Further, with fewer passwords, identity management systems set up and managed by IT teams hold fewer passwords.

Social networks requiring account creation led to the need for a lightweight yet secure way for users to maintain their account credentials but also reuse those credentials to sign in to additional networks. 

OAuth, an authorization standard or protocol, was co-developed by Google and Twitter to allow consumers a more streamlined way to log in to different internet sites. OAuth is similar to SAML, however, SAML is more suited for enterprises because it provides more control and security for SSO logins than OAuth. OAuth is known for offering bare minimum access once a user is verified, also known as access scoping.

When you want to create an account with a new SaaS or online service, you might see the ability to "Sign in with Google" or "Sign in with Facebook" rather than create an account with the typical username and password. That SaaS vendor or website relies on OAuth technologies to facilitate account creation and user adoption.

The basic idea behind SAML and Lightweight Directory Access Protocol (LDAP) is the same: They both give you the ability to enable secure user authentication. However, there are some differences.

For example, LDAP was designed to authenticate users on-site, such as in a physical office. But SAML was made to enable authentication over the cloud using cloud-based applications and servers.

Because LDAP is designed for on-premise use, it also requires a physical installation at your office. This can make it a more cumbersome and less convenient solution for some IT teams. SAML may be a better solution if you want to ensure secure authentication practices for your cloud-based assets.

An IAM system provides security because it keeps track of employee activity. IAM tracks employees not only as they enter the network via devices but also as they engage and interact with applications and systems. 

Knowing that employees can access the network but reducing their access to job-specific applications to ensure productivity also reduces the possibility of a security breach. Limiting access to certain applications and data using role-based protocols diminishes the chances of a cyberattacker using brute force to compromise all employees' credentials. If the attacker knows that not everyone has access, then they might reconsider a large-scale attack. 

For advanced visibility of all devices in a network, including Internet-of-Things (IoT) devices, network access control (NAC) provides awareness of all inventory as they enter and connect to the network. NAC goes a step further and can shut off access if the system suspects unauthorized usage.

IT professionals can also use the IAM system to detect any unusual user activity—for example, an extraordinary number of sign-ons in a short time, all in a single remote location. Or the reverse, no sign-ons at all. Rather than wait for employees to bring any issues to IT, the IAM system can track suspicious activity so that the IT team can take action if needed.

Enterprises can benefit from standardization or the use of industry-accepted protocols to enable a more open approach to architecture and identity federation. This reduces the need for the enterprise to invest in engineering and development to create custom IAM solutions. With open architecture and managed identities, employees can access vital SaaS or cloud-based applications seamlessly and securely.

Further, adopting the zero-trust network security model reduces the complexity of an organization's technology stack. The zero-trust model relies on the idea that no one inside or outside the network should be trusted unless their identification has been verified. Zero trust can be carried out with a robust IAM system in place.

Further, SAML authentication improves security by ensuring user credentials never leave the boundary of the firewall. Firewalls defend a network from traffic stemming from environments presumed to be less secure or of unknown security. To gain access to the secure environment, employees or customers must be authenticated before being authorized to utilize resources, including both hardware and software. Firewalls essentially prevent unauthorized users, devices, and applications from entering a protected network.

SAML benefits businesses because it makes it easier for people to connect with services they need, particularly those of your organization. Here are some of the most significant advantages organizations get by using SAML:

1. A better user experience: You may remember what it was like logging in before SAML simplified the process. You probably had dozens of passwords and worried about someone finding where you had written them down. Plus, typing out each password on your phone and making mistakes is frustrating. Thankfully, SAML makes it easier for customers to sign in and shaves several crucial seconds off the authentication process.
2. Tighter security: Identity providers make it their business to enable secure connections. Your business then benefits from the identity providers' efforts if it uses a SAML-based SSO process.
3. A platform-agnostic solution: Because SAML decouples your security from a vendor’s system or specific platform structures, users can log in regardless of the system they’re using or your application structure. This lets you welcome more users without having to adjust your security system.
4. Lower costs: With SAML, your service provider handles account administration. You don’t have to invest time, money, or resources to make sure it remains secure.
5. Less risk for your business: The service provider handles storing sensitive user login information, which reduces the risk of a breach revealing user access credentials.
6. Interoperability: SAML is an open standard, so it can work well with a diverse range of systems, making it a flexible solution for your business.

FortiTrust Identity (FTI) integrates with the Fortinet Security Fabric and gives you a range of security controls, enabling you to manage user authentications from a centralized location. With FTI, you can use multi-factor authentication, go passwordless, and enable SSO functions.