What is SAML?
Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains to exchange user authentication and authorization data. Using SAML, an online service provider (SP) can contact a separate online identity provider to authenticate users who are trying to access secure content.
Benefits of using SAML:
- Standardization: SAML interoperates with any system independent of implementation because of its standardized format.
- Security: It eliminates the passwords & provides authentication through digital signature. SAML also uses the Public Key Infrastructure (PKI) to protect identities from attacks.
- Single Sign-On: SAML provides fastest & efficiently access to multiple application through assertion which helps to connect SAML support Service Provider (SP) to Identity Provider. SAML provides the better user experience through assertion which communicates between Service Provider (SP) & Identity Server.
SAML Single Sign-On (SSO) FLOW:
Identity Provider sends the XML document (SAML Assertion) to the service provider (SP) which contains the user authorization.
There are three different types of SAML Assertions –
- Authentication: - The specified subject was authenticated by a particular means at a particular time. This kind of statement is typically generated by a SAML authority called an identity provider, which is in charge of authenticating users and keeping track of other information about them.
- Attribute: The specified subject is associated with the supplied attributes.
- Authorization decision: A request to allow the specified subject to access the specified resource has been granted or denied.
An assertion consists of one or more statements. For single sign-on, a typical SAML assertion will contain a single authentication statement and possibly a single attribute statement. Note that a SAML response could contain multiple assertions, although its more typical to have a single assertion within a response.
The SAML specification defines three roles:
The principal (typically a user)
The Identity Provider (IdP)
The service Provider (SP)
In the use case addressed by SAML, the principal requests a service from the service provider. The service provider requests and obtains an identity assertion from the identity provider. On the basis of this assertion, the service provider can make an access control decision - in other words it can decide whether to perform some service for the connected principal.
Let us take an example to show you how to configure miniOrange Self-Service Console as a service provider by accepting a SAML assertion generated by the miniOrange IDP.
Register a Service Provider on the Identity Server:
Add Issuer as miniOrange.
Assertion Consumer URL as https://auth.miniorange.co.in/moas/samlresponse
Make sure Enable Attribute Profile is checked.
Add email address in Attribute Claims.
Make sure Include Attributes in the Response Always is checked.
User selects SAML SSO from End User Sign In window to login using miniOrange Identity Server.
miniOrange Authentication Service sends an authentication SAML request along with Attribute Query to miniOrange Identity Server along with the Consumer Index generated after registering miniOrange as a Service Provider on the Identity Server.
miniOrange IdP parses the SAML request and redirects to Identity Server Login page.
User enters the username & password. If valid credentials are entered, IdP sends an encoded SAML Response to the miniOrange Authentication Service with the email address of the user.
miniOrange Authentication Service receives SAML response, decodes it, parses the email ID of the user. If a valid email address is found, it logs in the user into self-service console.
Also, you can configure miniOrange Self-Service Console as a service provider (SP) with Other Identity Providers (IDPs) like Okta, OneLogin, Azure AD, Auth0 etc.
SAML vs. OAuth
OAuth is a slightly newer standard that was co-developed by Google and Twitter to enable streamlined internet logins. OAuth uses a similar methodology as SAML to share login information. SAML provides more control to enterprises to keep their SSO logins more secure, whereas OAuth is better on mobile and uses JSON.Facebook and Google are two OAuth providers that you might use to log into other internet sites.