-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials.
- Eliminates credentials, reauthentication and help desk requests.
- Improves compliance and security capabilities.
- Provides detailed user access reporting.
Security Assertion Markup Language (SAML) is an XML-based framework for authentication and authorization between two entities: a Service Provider and an Identity Provider. The Service Provider agrees to trust the Identity Provider to authenticate users. In return, the Identity provider generates an authentication assertion, which indicates that a user has been authenticated.
SAML is a standard single sign-on (SSO) format. Authentication information is exchanged through digitally signed XML documents. It's a complex single sign-on (SSO) implementation that enables seamless authentication, mostly between businesses and enterprises.
With SAML, you don't have to worry about typing in authentication credentials or remembering and resetting passwords.
- SAML is a standard format that allows seamless interoperability between applications, independent of implementation. It takes away the common problems associated with vendor and platform-specific architecture and implementation.
- Users can access multiple applications by signing in just once, without additional authentication, allowing for a faster and better experience at each application. This eliminates password issues such as reset and recovery.
- Security is a key aspect of software development, and when it comes to enterprise applications, it is extremely important. SAML provides a single point of authentication, which happens at a secure identity provider. Then, SAML transfers the identity to service providers. This form of authentication ensures that credentials don't leave the firewall boundary.
- SAML doesn't require user information to be maintained and synchronized between directories.
- With SAML, you don't have to maintain user account information across multiple applications. The identity provider bears this burden.
SSO considerations | Preferences |
---|---|
Scope of user credentials (IdP) | Should be all users. |
Type of connection | Both IdP initiated and SP initiated. |
Expected NameID value format | Supports: EMAIL, TRANSIENT, PERSISTENT, UNSPECIFIED. default: EMAIL. |
Expected attributes | Configurable. |
Here’s a visualization of a typical SAML transaction between a service provider and an identity provider.
- User try to access the resource on the server, which in SAML terminology is a service provider. The service provider in turn checks to see if you're already authenticated within the system. If you are, you skip to step 7; if you're not, the service provider starts the authentication process.
- Service provider determines the appropriate identity provider for you and redirects you to that provider.
- Your browser sends an authentication request to the SSO service; the service then identifies you.
- The SSO service returns an XHTML document, which includes the authentication information needed by the service provider in a SAMLResponse parameter.
- The SAMLResponse parameter is passed on to the service provider.
- The service provider processes this response and creates a security context for you — basically, it logs you in and then tells you where your requested resource is.
- With this information, you can now request the resource you're interested in again.
- The resource is finally returned to you!
Ranjith Manickam | www.ranmanic.in @ 2019