SAML which refers to Security Assertion Markup Language is a standard that defines how providers can offer both authentication and authorisation services.
The Security Assertion Markup Language (SAML), is an open standard which simply allows user credentials to be shared by multiple computers across a network. In other words it allows a device to perform some security (logon) functions on behalf of one or more other computers:
What does Authentication and Autorization mean?
- Authentication: Means the user accessing the system is who they claim to be.
- Authorization: Here the user rights are evaluated to find out if they are permitted to access certain resources
Therefore, SAML refers to the XML variant language used to encode all this information.
Key terms to note while using SAML
– SAML provider?
A Provider is an entity most times specifically a server within a system that helps the user access the services he or she wants. Systems that provide or consume SAML services are generically called service providers. Most widely known service provider is an identity provider.
An identity provider is the entity within the system that makes sure the user really is who they claim to be. This is where User Authentication kicks in and also used to determine the user privilege on the kind of content or resource he or she is allowed to access. Kindly refer online for services that can provide the SAML standard implementation. This is not discussed in this article.
What is a SAML assertion?
A SAML assertion is the XML file by which all the user information discussed above needed for user authentication and authorisation is transmitted from one computer to another. Once an identity provider has determined that you are who you say you are and have the right to access the assigned resources and this SAML assertion is sent to the server that actually can actually provide those services (or resources you wish) to access to you.
Note: A SAML assertion may be encrypted for increased security.
Lets review how SAML works graphically
Here is the sequence of events that happens with single sign-on.
- You try to access the resource on the server, which in SAML terminology is a service provider. The service provider in turn checks to see if you’re already
authenticated within the system. If you are, it skips you to step 7 and if this is not the case, the service provider starts the authentication process.
- The service provider determines the appropriate identity provider for you and redirects you to that provider — in this case, the single sign-on service.
- Your browser sends an authentication request to the SSO service; the service then identifies you.
- The SSO service returns an XHTML document, which includes the authentication information needed by the service provider in a SAMLResponse parameter.
- The SAMLResponse parameter is passed on to the service provider.
- The service provider processes this response and creates a security context for you — basically, it logs you in — and then tells you where your requested resource is.
- With this information, you can now request the resource you’re interested in again.
- The resource is finally returned to you!