SAML is an open standard used for authentication. The technology industry created SAML to simplify the authentication process where users needed to access multiple, independent web applications across domains. It achieves this objective by centralizing user authentication with an identity provider. Web applications can then leverage SAML via the identity provider to grant access to their users.
This SAML authentication approach means users do not need to remember multiple usernames and passwords. It also benefits service providers as it increases security of their own platform, primarily by avoiding the need to store often weak and insecure passwords and not having to address forgotten password issues. Due to its many benefits, SAML is a widely adopted enterprise solution. First, it improves the user experience as you only need to sign in once to access multiple web applications.
Not only does this speed up the authentication process, but it also means you only need to remember one set of credentials.
The organization also benefits from this feature as it means fewer Help Desk calls for password resets. In addition to improving the user experience, SAML also offers increased security.
Since the identity provider stores all login information, the service provider does not need to store any user credentials on their system.
Furthermore, as the identity provider specializes in providing secure SAML authentication, they have the economies of scale to invest time and resources in implementing multiple layers of security. SAML works by exchanging user information, such as logins, authentication state, identifiers, and other relevant attributes between the identity and service provider.
As a result, it simplifies and secures the authentication process as the user only needs to log in once with a single set of authentication credentials. So, when the user tries to access a site, the identity provider passes the SAML authentication to the service provider, who then grants the user entry.
Let's illustrate this concept with a real-world analogy. Organizations often need to confirm your identity before granting you access. A good case is the airline industry. Before you board an aircraft, the airline needs to confirm you are who you say you are to ensure the security of other passengers. A SAML provider is a system that helps a user access a service they need. There are two primary types of SAML providers, service provider, and identity provider.
A service provider needs the authentication from the identity provider to grant authorization to the user. Microsoft Active Directory or Azure are common identity providers. Salesforce and other CRM solutions are usually service providers, in that they depend on an identity provider for user authentication. There are three different types of SAML Assertions — authentication, attribute, and authorization decision. SAML works by passing information about users, logins, and attributes between the identity provider and service providers.
Each user logs in once to Single Sign On with the identify provider, and then the identify provider can pass SAML attributes to the service provider when the user attempts to access those services. The service provider requests the authorization and authentication from the identify provider. Since both of those systems speak the same language — SAML — the user only needs to log in once. Each identity provider and service provider need to agree upon the configuration for SAML.
Both ends need to have the exact configuration for the SAML authentication to work. Identity provider-initiated SSO is similar and consists of only the bottom half of the flow. Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow. Found a bug? Submit a support ticket. Have a product idea or request?
0コメント