What is SAML?
- Thushanthan Amalanathan
- Software Engineer - WSO2
Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) based on the open security standard framework for authentication and authorization across two different systems, Service providers and identity providers.
Why do we Need SAML?
As shown in Figure 1, suppose a user has a requirement to access some web services. Each web service has its own process to manage identity providers and user access or authentication. This means users need to maintain and memorize many login credentials to access their preferred web services. As the user works with different URLs, it allows hackers to conduct phishing attacks. On the other hand, each web service needs to maintain user information on its own server and take more security initiatives to secure user information and to conduct user authentication. This causes the user’s personally identifiable information to be duplicated in many places.
If we introduce a common identity provider on behalf of all web applications, these problems can be rectified. In Figure 2, there is only one service provider and one place for authentication (WSO2 Identity Server), meaning there is no need for users to maintain and memorize many credentials as their identity information is stored in one place. This allows for fewer phishing attacks as users need to verify only one URL and eases security efforts of web service vendors. Here, SAML helps service providers to communicate with identity providers for user authentication and user authorization processes, helping to pass the authentication information, user-related attributes, and entitlement issues.
What is a SAML Provider?
A SAML provider is a system that helps users to gain access to services they need. The most common SAML providers are service providers and identity providers. Let us explore their roles.
- Service Provider: A system that provides SAML services
- Identity Provider: This identifies and authenticates users. At the same time, it sends the authentication response with the access rights of a user to the service provider.
What are SAML Assertions?
A SAML Assertion is an XML document that contains information on whether the user has rights to access the service, user identification, the time the user locked in, the authentication method used, and other user information. In general, SAML Assertions are sent by identity providers to service providers.
What is SAML based Single-Sign-On and Single-Log-Out?
A SAML helps you enable Single-Sign-On (SSO) and Single-Log-Out (SLO) between service providers and identity providers. This feature is provided by WSO2 Identity Server, and the following sections explore these in greater detail.
1. SAML Based Service Provider Initiated Single-Sign-On (SSO) Flow
- Step1: The user requests for a service from the service provider
- Step2: The service provider creates a login request (SAML request)
- Step3: The created message (payload which contains the service provider name) passes through the User Agent (browser) from the service provider to the identity provider
- Step4: The identity provider identifies the principals and authenticates the user
- Step5: After authentication, the identity provider sends the response message (SAML response) to the service provider through the User Agent which includes the authenticated user, requested attribute, etc.
- Step6: Based on the identity provider response, the service provider gives the service to the end user (if authentication fails then it returns an error message, whereas if the authentication succeeds it creates an application session)
The above figure provides an explanation of how the flow takes place.
2. SAML based Identity Provider Initiated Single Sign on (SSO) Flow
- Step1: The user directly calls the identity provider endpoint with the service provider name
- Step2: The identity provider identifies the principals and authenticate the user
- Step3: After identification, the identity provider sends the response message (SAML response) to the service provider through the User Agent which includes the authenticated user, requested attribute, etc
- Step4: Based on the Identity provider's response the service provider gives the service to the end user (if authentication fails then it returns an error message, whereas if it succeeds it creates an application session)
The above figure provides an explanation of how the flow takes place.
3. SAML Based Service Provider Initiated SLO Flow
- Step1: The session participant (e.g.: Salesforce) sends the logout request (SAML request) with the session index (this session index comes from the IDP response in the SSO flow)
- Step2: Using the session index, the identity provider identifies the available session participants that are logged-in with the same session index
- Step3: The identity provider sends the logout request (SAML request) to one of the available session participants
- Step4: The session participant returns the logout response (SAML response) to the identity provider
- Step5: Finally, the identity provider sends the logged out response (SAML response) to the original session participant
The above figure provides an explanation of how the flow takes place.
Note: Steps 3 and 4 are repeated until all available session participants identified by the identity provider are logged out..
4. SAML based Identity Provider Initiated SLO Flow
- Step1: The user directly calls the identity provider endpoint with the session index
- Step2: Using the session index, the identity provider identifies the available session participants that are logged-in with the same session index
- Step3: The identity provider sends the logout request (SAML request) to one of the available session participants
- Step4: The session participant returns the logout response (SAML response) to the identity provider
The above figure provides an explanation of how the flow takes place.
Steps 3 and 4 repeats until all available session participants identified by the identity provider are logged out.
Conclusion
As shown in the earlier sections, WSO2 Identity Server supports Security Assertion Markup Language (SAML) and is optimized for identity federation and SSO with comprehensive support for adaptive and strong authentication. Please visit the product page for further information.
You can try out tutorials with WSO2 Identity Serverhere.