SAML - The Vital Hidden Ingredient in Effective Single Sign-On

Written by

SAML stands for ‘Security Assertion Markup Language’ and is a protocol that allows the exchange of authentication and authorization data between an identity provider and a service provider.

There are whole Wiki pages dedicated to SAML, its history and the many different versions available, but it basically allows users to be authenticated and authorized without inputting additional credentials. It does this by using digital tokens and establishing a trust relationship between one site, domain, network and another. That means authentication credentials are kept at the identity provider (so the site or domain that already knows the user, such as an internal system) and which the service provider (for instance, the cloud application the user wants to access) authenticates against.

In short, SAML authentication provides a standard for transmitting authentication information quickly and effectively between organizations. Specifically, SAML provides the capability for users to access resources from entirely separate domains using their own credentials.

There are three key SAML assertions - or characteristics - of this open-standard data format that together ensure it is secure: authentication, attribution and authorization. Firstly, the authentication assertion validates the user’s identity. The SAML attribution assertion then contains specific information about the user that can also be validated against and finally, the authorization assertion identifies what the user is authorized to do.

Powering effective Single Sign-On

While SAML alone is not enough to bring all the security benefits modern enterprises would look for, when integrated into other technology, like Single Sign-On, it becomes very powerful indeed.

SAML is arguably one of the most important ingredients for effective Single Sign-On solutions. It is the enabler or the glue that allows SSO to provide one point of access with just one set of login credentials to an end-user who wishes to navigate through different apps or networks.

Another major benefit is that because credentials and passwords are maintained at the identity provider and not at the server provider, password authentication is kept within an organization’s own infrastructure. This gives organizations better control over security and helps prevent password theft.

By facilitating simpler SSO, SAML further improves security by helping to minimize the dangers associated with users remembering multiple passwords – from writing them down to repeating passwords to making obvious, weak password choices.

SAML authentication in action

SAML authentication is highly effective in many scenarios. It is often used to help a service provider’s clients access hosted applications, like Yahoo email or a virtual retail environment. Assuming that within this retail virtual environment the provider has a virtual shopping cart in a domain separate from the inventory network, SAML can help provide the end-user with access to both capabilities without needing to authenticate twice.

In Human Resources departments for example, SAML can provide a fast way to on-board new employees after an acquisition by providing access to both company networks via a single authentication point.

To cite one more example in healthcare, SAML can help unite external healthcare providers to deliver critical applications to patients through a single source of authentication.

SAML adoption

Despite this, SAML is not without its doubters. Some IT people and organizations still think it’s easier to simply use username and passwords for authentication and authorization rather than using digital tokens and creating a circle of trust relationships.

Despite the predictions about the password’s imminent demise and death, traditional passwords are deeply engrained in the security psyche and it’s difficult to get organizations to move away from them.

SAML can also be complex to implement, even for experienced IT people and administrators. Some argue that it’s really over-engineering SSO – building something complicated to power something that’s essentially very simple - and that might be a factor in the take up of SSO within some enterprise businesses.

Then there’s the fact that in our increasingly mobile world SAML isn’t yet fully optimized for mobile apps, but is restricted to web-based authentication.

Yet despite this, SAML remains a vital cog in effective Single Sign-On and crucial in providing the robust security features associated with SSO technology. More than just a standard for transmitting authentication information between organizations, SAML authentication provides the capability and flexibility users need to securely access resources from separate domains without the hassles of constant authentication. Even against a backdrop of increasing mobile use, for any enterprise, that should be something worth seriously considering.

What’s hot on Infosecurity Magazine?