SAML is abbreviation for Security Assertion Markup Language. SAML’s key benefit is that it allows single sign on capabilities for Web Services/applications. SAML is an open standard that enables web browser single sign-on through exchange of an assertion between an Identity Provider and a Service Provider.It describes a framework that allows one computer to perform some security functions on behalf of one or more other computers like authentication and authorization.
Terminologies related to SAML are –
Assertion – XML passed between the Service provider and identity provider.
Assertion Consumer Services (ACS) – Target resource within the SP where the IDP sends the SAML response assertion to.
Attribute – Unique information about a user that is passed within an assertion.
Identity Provider (IdP) – Trusted entity providing authentication services to the SP on behalf of the user principal.
Issuer – A unique string that must match in both the IdP and SP.
SAML Request – An assertion that the SP passes to the IdP to request a user to be authentication.
SAML Response – An assertion that the IDP passes to the SP for an authenticated user.
Service Provider – The web application that the user wants to access.
Below is the step by step process followed by SAML for user authentication –
- User tries to access the application/web service (Service provider). The service provider verifies if user already authenticated within the system. If user is already authenticated, content can be made available directly to the user. Else, if user is not authenticated, the service provider starts the authentication process.
- The service provider determines the identity provider and redirects user request to that provider ie single sign-on service.
- User browser sends an authentication request to the SSO service.
- The SSO service returns a request which includes the authentication information needed by the service provider in a SAMLResponse parameter.
- The SAMLResponse parameter is passed on to the service provider.
- The service provider processes this response and allows user to log in and informs where user requested resource is.
- User can now request the resource he wants.
- The resource is finally returned.
Below are the upgrades to SAML versions over time –
- SAML 1.0 was adopted in November 2002
- SAML 1.1 was ratified in September 2003
- SAML 2.0 became an OASIS Standard in March 2005