The CIA, consisting of Confidentiality, Integrity and Availability are the aspects that need to be protected and maintained by an organization, Authentication and Authorization are the controls that are used to maintain the Triad.
For example, making sure(authenticating) that a user has access to a particular resource(authorization) helps in maintaining the confidentiality of that resource. Authenticating a person and authorizing to modify a resource, ensures its integrity .While there are many resources(or services) a user might want to access at a point, going through the process of authentication and authorization with each one can be tiresome and insecure at the same time. This is where SAML or Security Assertion Markup Language comes in, providing a secure way of doing this.
SAML is an open standard used between parties (particularly, service and identity providers) to exchange authentication and authorization details of a principal or subject, who wants to access a particular service provider.
The three parties involved in this SSO(Single sign-on) authentication process are:
- Principal/Subject/Users (Who want to access the SP)
- Service Provider (Provides services)
- Identity Provider (Authenticates the user)
A service provider is a federation partner that provides services to the user. Identity Providers or IdPs/IDPs provide the service of identifying the user. The user is the human or non-human identity requesting access to the resource.
How does the protocol work?
The “token” or the proof of the principal’s identity is represented as a SAML assertion which consists of statements regarding the authentication, attributes, and authorization. These assertion statements (in XML format) are provided by IdPs and used by SPs to make the decision of providing access.
The steps:
- Requesting the target resource(SP).
- SP Determines the IdP and redirects to the SSO Service at the IdP containing the SAML request (compressed and encoded ).
- User agent’s browser issues a get request at the SSO Service at the IdP for identification.
- For validating the user agent, the SSO uses an XHTML form containing SAML response (encoded).
- The SAML response from the XHTML is taken and sent in a POST request to the assertion consumer at the SP.
- The assertion consumer processes the response and redirects the user agent to the resource (login done) at SP.
- Requesting the specific target resource again (specific page or document on the resource)
- Response of the resource at SP for the request from the user agent.
Figure 1
Figure 2
Figure 1 shows the typical scenario discussed above. One additional function can be added by using deep links with SAML, which adds an identifier representing the initial request from the user agent in the URL itself. This will not only reduce the number of requests between the SP and user agent but also helps to keep track of the requests at each end(SPs and IdPs), as represented in Figure 2.
How can we help?
SSO functionality manages the trade-off between the ease of use and privacy of the user. It simplifies credential management at the same time reducing security risks for you customers,vendors and partner entities. SAML is one of the key ways to implement SSO in your organization.
With advantages come some subjects of concern as well. There are many vendors in the market providing this service, different on the basis of their architecture or version of the protocol. We can help you analyze the various solutions out there and choose the best one based on your needs. With our seasoned professionals, we can also help you implement and operate a robust and resilient solution.
Having a team of professionals, like ours by your side, will ensure your organization’s security to be intact and updated, for you to maintain the privacy of your customers as well as the confidentiality of your organization’s assets.
– Authored by Gayatri Priyadarshini