SAML: Still going strong after two decades
SAML is an open standard that makes it easier to communicate and verify credentials between identity providers and service providers for users around the world.
In 2005, the open standards consortium OASIS released SAML 2.0 for a wide audience. With the rise of smart mobile devices, the number of web applications and the need to manage endless connections have increased. SAML was key to meeting this challenge and introduced single sign-on (SSO) as a trusted tool for individuals and businesses. The other most common use of SAML is the federation of networks between infrastructures not necessarily linked to web services.
This article examines the SAML protocol, how it works, the parties involved, and its place in the evolution of identity and access management (IAM).
What is SAML?
Security Assertion Markup Language (SAML) manages transactions between web service providers and identity providers using Extensible Markup Language (XML). These communications on the backend of the username and password login processes ensure that users are authenticated by the global identity manager and authorized to use the given web service(s).
Context: Authentication vs. Authorization
A fundamental piece of the digital access puzzle is the difference between authentication and authorization. Authentication confirms user identityand authorization grants specific rights to a web application, user or device.
Read more: Best Privileged Access Management (PAM) Software
Service Providers and Identity Managers
Service providers and identity managers play a critical role in the federation process, enabling users to access specific data.
The exponential growth of applications serving the computing needs and wants of consumers and businesses means a universe of service providers. Service providers are organizations and web services offered to users through a valid request. Application and software developers are responsible for establishing the backend database and protocol needed to store and accept user account credentials.
Popular service providers include major enterprise application vendors such as SAP, Microsoft, Oracle, Adobe, Google, and Salesforce.
Identity Managers provide organizations with a system where a set of credentials can merge to become a federated identity allowing a specific user to access applications across multiple platforms. Similar to directory services, organization administrators can control access to particular data through network user identity management.
Microsoft and Azure Active Directory (AD), Lightweight Directory Protocol (LDAP), and Google Suite are examples of popular enterprise identity provider systems, while other providers include Oracle, Okta, OneLogin, and Auth0.
Read also: Best Zero Trust Security Solutions
How does SAML work?
- A user logs in to the identity provider’s SSO.
- The user submits a request for a privileged web page.
- The service provider confirms the user’s credentials with the identity provider.
- The identity provider responds by validating the user.
- The user accesses the requested web page.
Why is SAML important?
While web service providers have long played the role of identity managers, the emergence of identity providers offers users convenient access to store credentials and, therefore, access to a list of accounts. SAML is the federated authentication and authorization process in this distribution of responsibilities, simplifying communication between parties.
Read more: How machine identities can jeopardize business security
OAuth versus SAML
OAuth is also an example of a language that web service providers use to communicate on behalf of users and applications, but they address different aspects of the authorization-authentication piece.
SAML is a standard for identity management and federation, including systems like SSO. OAuth is a pure authorization protocol that partners with OpenID Connect (OIDC), which handles authentication.
SAML might be the more reliable and mature protocol of the two; however, OIDC is a newer authentication protocol designed for mobile and web applications. Another notable difference between the two languages is OAuth’s use of the JSON Web Token (JWT). While SAML uses XML, JWTs are more lightweight, self-contained, and include a digital signature for independent verification without the authorization server.
Although SAML 2.0 remains widely used, the growth of OAuth 2.0 associated with OIDC means that it is not deployed as much.
Learn more About OAuth 2.0 with OAuth: Our Industry Authorization Guide.
IAM History: SAML in Context
In 2001, the Organization for Advanced for Structured Information Standards (OASIS) began work on what would become the industry’s first XML framework for the exchange of authentication and authorization data. A year later, SAML 1.0 would become an official OASIS standard. In 2005, OASIS released version 2.0, which gained popularity among web developers and service providers by the end of the decade.
As SAML 2.0 paved the way, the first two iterations of OIDC, OpenID, were released in 2006 and 2007 as alternative authentication protocols. The launch of OAuth 1.0 in 2010 and OAuth 2.0 two years later meant that third parties had a deliberate protocol for allowing secure delegated access to the user agent. Rather than dealing with a separate protocol for authentication purposes, the release of OpenID Connect in 2014 gave developers an additional layer allowing initial access between accounts.
Despite the recent prevalence of OAuth and OIDC for authentication and authorization, SAML 2.0 remains a widely offered and used protocol for enterprises.
Read also: Best Next-Generation Firewall (NGFW) Providers