What is SAML?

80% of data breaches are caused by stolen credentials. Learn how to prevent identity theft within your organization by integrating the SAML open standard for more secure authentication.

What is SAML?

SAML stands for Security Assertion Markup Language which is an open standard for exchanging authentication and authorization between Identity Providers (IdPs) to Service Providers (SPs). 

The aim of SAML is to enable enterprises using application service providers (ASPs) or c by those ASPs.

Over 80% of data breaches are caused by stolen credentials. Brute force attacks rely on a trial and error method to crack passwords. Even more concerning is the fact that a hacker can attempt 2.18 trillion password/username combinations in less than 22 seconds. 

SAML can help prevent those attacks.  

SAML is an XML-based authentication protocol for web services, including single sign-on (SSO) capabilities. By using SAML, service providers and enterprises can exchange user identity and sign-on information without the need to share passwords or install additional client software which can lead to massive data breaches.

The SAML protocol provides an open, scalable framework for developing web SSO applications and helps keep your identity secured.

SAML focuses on authenticating users across security domains via messages communicated over the internet by using eXtensible Markup Language (XML) messages. It is a standard from the OASIS organization, which has recently released version 2.0 of SAML for public review.SAML authentication includes features that support strong client-based authentication and enables easy integration with legacy applications that do not provide any authentication mechanism.

How Does SAML Work?

The web browser sends an HTTP request to the SP (Service Provider). If the user is already authenticated with the Service Provider, authentication works exactly like any other web SSO. Otherwise, the SAML request will be redirected by the Service Provider to the Identity Provider (IdP) for authentication.

After users have been authenticated by an IdP, the IdP then sends a SAML token containing subject confirmation to the service provider, which is then used to authenticate users against SP services. 

The end user is then redirected back to the service provider. Once authenticated, the user may now log in and access their account. If a user enters any incorrect information, the authentication process will not work and they will receive an error message. 

Some of the most common error messages: 

  • Incorrect Identity Provider Issuer
  • Could not validate SAML assertion
  • Attribute not properly mapped
  • The SAML response format is invalid 
  • Internal errors 

If you receive a message with any of the error messages listed above, either retry after a few seconds or contact your local administrator to help resolve the issues.

What is SAML Authentication?

SAML authentication is a process of authorizing users to access applications. So, how does SAML authentication work?

A user first obtains a SAML token from an identity provider describing the user’s current authentication state. The SAML token is then sent to a service provider which uses this token as proof of the user’s identity in order to authorize access to an application.

What are the steps in the SAML authentication process? Here is a step-by-step guide. 

1.    A user requests access to an application hosted by a service provider. The service provider’s web server sends a request to the Identity Provider for authentication and authorization of that particular user.

2.    The user provides his credentials to the identity provider, and the identity provider authenticates the user.

3.    The identity provider then sends a SAML authentication request to the service provider, which includes all relevant user information in the form of a SAML token.

4.    A SAML assertion is sent from the service provider to the Identity Provider with a SAML assertion containing all relevant authentication and authorization data for this user.

5.    The Identity Provider validates the SAML token from the service provider, and then sends a response back to the SP with its validation response.

6.    If the Identity Provider’s validation response is successful, then the service provider grants access to the user for this application.

An important use of SAML authentication involves single sign-on (SSO). When a user logs into the Identity Provider once, that user can then access any service provider without needing to provide his credentials again. This is because the Identity Provider knows which service providers the user has access to and will send SAML tokens with relevant permissions for each of them.

What is a SAML Provider?

A SAML provider is a web application or service that runs on one or more servers and handles the processing of SAML assertions.

There are two types of SAML providers:

1)    Service Provider (SP): This entity sends authentication requests to identity providers for user authentication. 

2) Identity Provider (IdP): A SAML Identity Provider offers web-based authentication services to users and systems on the network.

What is a SAML Assertion?

A SAML assertion is the document exchanged between an Identity Provider (IdP) and a Service Provider (SP) which contain the user’s authentication. The IdP has the authentication data, while the SP needs to know who is attempting to access its service. This is achieved by using XML messages containing claims about some user’s identity. 

A SAML assertion contains three separate statements or the 3 A’s:

  • Authentication: The first step in the SAML assertion process involves validating the user’s identification and determining the method of authentication 
  • Attribution: The second step where attributes or specific pieces of data such as a username or country are passed to the SP
  • Authorization: The final part of the SAML assertion states whether or not the user has been authorized or denied to use the service. 

The SAML assertion consists of information about the user, such as their email address or username, that can be validated by either party to establish trust. One of the most common uses of SAML assertions is SSO across different enterprise applications using a trusted IdP. 

This type of authentication has nothing to do with authorization; users could still be granted different access roles in each application even though they’re authenticated through one shared IdP, similar to how Zero Trust Network Access authentication works. 

For SSO to work, SPs must share a common trust root with the IdP; this usually requires quite some administrative effort but it’s worth it if you want your customers (and employees) to feel like they’re a part of a single enterprise instead of just several different applications that happen to be using the same cloud computing service provider.

SAML vs. OAuth: What Are The Differences?

OAuth is an open standard whereas SAML is controlled by a consortium. OAuth tokens are limited in range since they have to be exchanged for every request between the client and server, but SAML assertions can be cached or stored on behalf of the user.

Other key differences are that Oauth doesn’t place any limitations on the type of attributes passed around or how they are to be used, whereas SAML restricts what types of information can be exchanged. OAuth is primarily focused on user authentication, but SAML focuses more on protecting web services and can use protocols such as HTTP-Redirect and HTTP-POST. 

OAuth doesn’t define the format of the token, SAML does. OAuth is not tied to any specific identity provider whereas SAML is focused on security domains (IdPs).

So, which service is better? If you run a large scale enterprise, you might be better off with SAML as it improves the user experience (UX) and requires a single sign in. The authentication process is more secure overall.  

Both OAuth and SAML can be used together with SSO authentication to access sensitive company resources.

SAML Authentication: Pros and Cons

Pros:

  • Tighter Security Control – SAML offers a higher level of security as it acts as a single point of authentication, further minimizing the onset of an identity breach. 
  • Improved User Experience with SSO – SAML allows users to sign in once and automatically remain signed in when they access any other apps or services.
  • No Loose Coupling of Directories – Loose coupling is when several components of a system or network are linked together. SAML does not require user information to be kept and synchronized between multiple directories.   

Cons:

  • Password Storage – If you store the user passwords in your database instead of using SAML, you will need to find a way to keep those passwords secure. Otherwise, if attackers managed to gain access, they could sign in as any of the users whose passwords they know. With SAML, keeping the user passwords secure is your identity provider’s responsibility.
  • IdP-Initiated SSO – What seems like a convenience for employees can turn into a nightmare if an attacker intercepts the SAML assertion. This can occur as a result of IdP-Initiated SSO since the SSO process involves an authenticated user clicking a button in the IdP. This can create a potential Man-in-the-Middle attack scenario. 

SAML provides a wide range of benefits when it comes to secure web application authentication.

Identity Management Made Simple with Perimeter 81

Identity management should be at the cornerstone of any business. Perimeter 81 simplifies the authentication process by leveraging SSO and SAML 2.0 for secure identity management of company resources from anywhere in the world.  

Don’t take any chances with weak or unprotected passwords. Set and define user permissions either on an individual or group basis with Perimeter 81’s IdP integrations. See how simple it is for yourself. 

ZTNA vs VPN FAQ

What is the difference between SSO and SAML?
Single Sign-On (SSO) is an authentication process that occurs once. SAML authentication occurs by transferring the user’s identity from the Identity Provider to another Service Provider.
What is SAML authentication?
Security Assertion Markup Language (SAML) authentication is an open standard that exchanges user information and other attributes with an Identity and Service Provider.
What is a SAML assertion?
SAML assertions are the statements that contain all information about a user which the IdP then sends to the Service Provider which enables access to multiple web applications from a single set of login credentials. 
What is a SAML example?
IdP-initiated SSO in which a user clicks a button in the Identity Provider and is transferred to the Service Provider along with a SAML response and assertion.

Looking to secure your remote workforce?

Simplify your network security today with Perimeter 81