Home > Identity Access Management > [IAM] Explaining Security Assertion Markup Language ( SAML 2.0 )

[IAM] Explaining Security Assertion Markup Language ( SAML 2.0 )

What is SAML?

Security Assertion Markup Language (SAML) is an open standard federation protocol.

  • SAML was introduced in 2001
  • SAML 2.0 superseded SAML in 2005

SAML protocol is used for authentication (AUTHN), and authorization (AUTHZ), and is often used for SSO (Single Sign-on) to web-based applications.

The SAML specification defines three entities or roles:

  1. The principal : typically a human user or USER Agent, such as a user’s internet browser
  2. Identify Provider (IdP)
  3. Service Provider (SP) : application or service your trying to access

A SAML federation is established (trust relationship)  between the SP and IdP for SAML to work.

How SAML works

  1. User request access to SP
  2. SP must first authenticates with IdP
    1. Once user is successfully authenticated, Idp generates a SAML assertion
    2. The SAML assertion is then sent to the SP (trusted)
  3. Based on SAML assertion, SP makes a access control decision to decide to perform the service for the user.
    1. Since SP trusts the IdP,  it will validates the assertion.
    2. Once SP authenticated to IdP, can SSO to other applications.

SAML flow:

  • The IdP knows about your users and their attributes. The SP has its own knowledge about the users.
  • When IdP generates an assertion, it populates with a user identifier (UID), and sends over to SP.
    • IdP signs the assertion, so SP can verify the issuer of the assertion (trusted party)
  • If successful, SP will read the UID and attempt to map session to the user in it’s inventory.
    • IDP and SP meta data (XML file) exchange establishes the trust or federation
    • The meta is contained in the XML (settings, configurations, and certificate of system)
    • IdP dictates  UID and SP must agree so SAML assertion can be mapped to user object at SP
      • For example if email address is used as user id, SP and IdP must be configured to match to allow access.

SAML initiation flow:

There are two primary initiation SAML flows:

  1. IDP-Initiated flow.
    1. User starts by accessing the IDP
    2. IDP prompt’s user for authentication via User Agent to request service
    3. If authorized, IDP creates SAML assertion
    4. Using user agent > assertion is sent to SP via Post message (transport mechanism)
    5. SP verifies the SAML assertion and maps it to a user in its inventory
    6. SP than starts the session
  2.  SP-Initiated flow
    1. User starts by reaching out to SP
    2. SP will redirect to User Agent for authentication against IDP (Request for authentication)
    3. Once validated, IDP will generate assertion
    4. IDP sends assertion to SP  (IDP > User Agent > SP)
    5. SP than starts the session
Categories: Identity Access Management Tags:
  1. No comments yet.
  1. No trackbacks yet.