SAML (Security Assertion Markup Language)
Single Sign-On, one of the coolest aspect of authentication and authorization making lives easier even without knowing us. Just imagine having to painfully log in to different applications by typing your login information every time. Ever wondered how the Single Sign on efficiently enables you login to Youtube with your Google credentials? Well I wondered and found out a short answer : SAML (Security Assertion Markup Language)
What is SAML?
The Security Assertion Markup Language (SAML) standard defines a framework for exchanging security information between online business partners. It was developed by the Security Services Technical Committee (SSTC) of the standards organization OASIS (the Organization for the Advancement of Structured Information Standards). In non-technical terms it is like your Identity card which you display to enter your company, your security guard checks it once while entering afterwards you can enter any area of your firm without being checked on that particular day. In computing terms you can use one set of credentials to log into many different websites. It’s much simpler to manage one login per user than it is to manage separate logins to different applications.
How does SAML work?
SAML uses Extensible Markup Language (XML) for standardized communications between the identity provider and service providers. SAML is the link between the authentication of a user’s identity and the authorization to use a service. Now what are Identity providers and service providers?
Service provider is any application to which user wants to login which is requestor of authentication.
An identity provider performs the authentication that the end user is who they say they are and sends that data to the service provider along with the user’s access rights for the service.
SAML works by passing information about users, logins, and attributes between the identity provider and service providers. When user logs in a SAML request is generated and sent to Identity provider. The Identity provider then builds an authentication response in form of XML document containing username, email address and other attributes and sends it to Service provider which then facilitates the login of user.
Did you ever notice a string of random characters at the end of a URL? Like below :
The strings are request to be directed to Identity provider which contains information of the service provider. Once you provide your credentials through Identity provider you can access the website requested. Since both of those systems speak the same language — SAML — the user only needs to log in once.
How are these SAML calls secured?
When Identity provider builds authentication response, the users information is digitally signed. In technical terms this is called as encryption in transit. It protects your data if communications are intercepted while data moves between your site and the identity provider or between two services. One of the most popular way of achieving this is by using X.509 certificates. Identity provider signs the SAML authentication response using X.509 certificates and passes this information to service provider. The service provider then validates the authenticated response using certificate fingerprint and intimates the user regarding the same.
X.509 certificates
To secure communications between an IdP and an SP (or vice versa), each entity needs a key pair:
– for authenticating/signing SAML messages
– for encrypting SAML messages
X.509 is a standardized, ubiquitous format for publickey data structures, so it’s convenient for use as a container for public keys in the SAML world. These certificates are the trust anchors. They allow you to verify signatures and therefore establish trust in the messages that have been exchanged. When the SP gets a SAML response from the IdP via the browser, it must verify that the signature it gets comes from an IdP it knows and what signed using the IdP’s private key; this signature can be verified against the IdP’s public key in the certificate configured in the metadata.
Some intresting articles which made me understand SAML :
https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf