How SAML 2.0 authentication works?Devendra Nationalwala | 05 Sept 2023 |
SAML, short for Security Assertion Markup Language, plays a vital role in enhancing online security. It empowers users to access various web applications using a single set of login credentials. This functionality operates by transmitting authentication data in a specific format between two entities, typically involving an identity provider (idP) and a web application.
SAML, an acronym for Security Assertion Markup Language, stands as a widely adopted standard in the realm of authentication. This protocol, rooted in the Extensible Markup Language (XML) format, serves as the bridge for the secure exchange of authentication data between two integral entities: the identity provider (IdP) and the service provider (SP).
Born out of the technology industry's need to simplify the intricate process of user authentication, particularly when accessing numerous, independent web applications across diverse domains, SAML has played a pivotal role. In the days preceding SAML, the concept of single sign-on (SSO) existed but relied heavily on cookies that functioned only within the confines of a single domain. SAML addresses this challenge by centralizing user authentication under the purview of an identity provider. Subsequently, web applications can tap into the power of SAML through the identity provider, granting seamless access to their users. This approach to SAML authentication essentially liberates users from the burdensome task of juggling multiple usernames and passwords. Moreover, it offers significant advantages to service providers by enhancing the security of their platforms. This is primarily achieved by sidestepping the need to store passwords, which are often susceptible to weakness and insecurity, and by mitigating the challenges associated with forgotten passwords.
SAML has gained widespread popularity in enterprise settings due to its numerous advantages. One noteworthy benefit is its enhancement of user convenience by allowing a single sign-in to access multiple web applications. This streamlines the authentication process, sparing users the need to recall multiple sets of credentials and reducing the volume of Help Desk inquiries related to password resets.
Moreover, SAML contributes significantly to bolstering security. This stems from the fact that the identity provider holds all login information, negating the necessity for service providers to store user credentials on their own systems. Additionally, identity providers specialize in delivering secure SAML authentication and can allocate ample time and resources to implementing robust security measures. Notably, identity providers often incorporate advanced features like multi-factor authentication (MFA) into their offerings, fortifying defenses against common password-based attacks.
SAML operates by facilitating the exchange of user data, encompassing login details, authentication status, unique identifiers, and other pertinent attributes, between the identity provider and the service provider. This process streamlines and bolsters authentication by necessitating only a single login using a sole set of authentication credentials. To illustrate this concept more vividly, let's draw a comparison with a real-life scenario.
SAML single sign-on authentication typically involves a service provider and an identity provider. The process flow usually involves the trust establishment and authentication flow stages.
Consider this example:
Note: The identity provider could be any identity management platform.
Now, a user is trying to gain access to AWS using AWS authentication.
This is the process flow:
Here's a glossary of these parameters in the SAML request and response: