Understanding The Basics Of Security Assertion Markup Language (SAML)

-

 Understanding The Basics Of Security Assertion Markup Language (SAML)

Security Assertion Markup Language (SAML) is extensively used in the business landscape these days. It is not well-understood, however, despite its ubiquity, leading to misconceptions, misconfigurations, frustrations, and in certain instances, the utter abandonment of the solution and, consequently, the many benefits it provides.

In the security landscape, SAML solves two main objectives. First, information on user authentication is never transmitted by third-party providers or retained by them. Second, users are provided with a Single Sign-On experience irrespective of which service they are logging in to.

What Is SAML?

SAML stands for Security Assertion Markup Language. It is based on XML. The first half of the name quite accurately explains SAML's intent of allowing one system to claim the identity of a user to another system after checking their identity.

At its heart, SAML is a general framework - independent of any specific use case or technology - that can be used in various situations as a general rule, but its flexibility means it can be difficult to configure because different implementations make different assumptions.

The Components Of SAML

Identity Provider (IdP)

An Identity Provider is responsible for authenticating the user, and although this is less common, may also be accountable for authorization. Azure Active Directory, ADFS, Okta, and Auth-0, are some common examples of IdPs. As one of the authentication methods they provide, most implement SAML, and all of these solutions connect to one or more backend systems to actually authenticate the user. In addition to the backend authentication, they also add alternatives and additional authentication criteria, such as two-factor authentication. 

Service Provider (SP) 

The SP offers end-user services such as email, word processing, sales management, and preparation of business resources. Both of these systems had to provide authentication services themselves before SSO capabilities came along, either by using a built-in user database or integrating into a backend system like Active Directory. 

The Metadata

Metadata used by IdPs and SPs defines both of them. This metadata forms the center of the relationship of trust between the two elements. The metadata includes more than just information about trust, but also information about communication that explains how the SP and IdP can exchange assertions. It involves both a destination and a method. This is a URL for web-based SSO, and the HTTP Post method is carried out through the web browser of the client. The metadata is obscured by many popular IdPs today, but somewhere for SAML to work has to be there.

Assertions

Each exchange of SAML authentication ends with an IdP sending a response to the SP containing an assertion or an error. Usually, these are entirely configurable on the IdP. Although nomenclature varies widely, it is commonly referred to as "releasing" to the SP, including an attribute in the assertion.

Certificates

SAML is designed to function over an untrusted medium of communication. As a consequence, the metadata includes details on how to ensure that the statement is not manipulated along the way. On two levels, this can be done: signing and encryption of messages. Most systems only use signing, so unless additional confidential information is exchanged as part of the assertion, encryption does not add any value. Signing only guarantees that the message between the two parties has not been changed en route.

SAML does not need publicly signed certificates, unlike HTTPS. The primary reason it doesn't need them is that the relationship of trust is directly set up. The SP is told to trust the IdP since a particular certificate is being used. To verify the identity of the IdP, there is no need for a third party, as this third party verification is the whole point of the publicly signed certificates.

The System Clock

SAML is highly dependent on SP and IdP both having the same time. It is normally within five minutes, but this is configurable and can be decreased for an enhanced level of protection. The times are all expressed as UTC, so there should be little reference to the systems' time zone.

The unique features and capabilities make SAML universally accepted.

Comments

Post a Comment

Popular posts from this blog

The Most Prominent Emerging Cybersecurity Threats

-
Image
  Because of the   COVID-19 pandemic , organizations around the globe were forced to implement a work-from-anywhere scheme. With staff accessing cloud resources, collaborative tools, and remote systems from home and public networks, and not only via the privacy of a VPN, this has become the new way of doing business. This rapid transition brings a host of safety issues for businesses. Some of the most prominent cybersecurity threats are outlined here. 1. Evolving Traditional Cybersecurity Threats  Cyber threats such as phishing, malware, trojans, and botnets will remain prominent; it seems obvious. Such attacks, mostly mined from company websites and social networks, are increasingly automated and customized to personal information. These kinds of hazards will continue to increase in number and frequency as movements towards automation increase. These risks may be influenced by current events as well. During the pandemic, we saw a surge in phishing emails, taking advantage of the unfam
Read more

PeopleSoft SSO: Improving Employee Experience

-
Image
Employees manage various logins, including emails, financials, CRM software, and other programs and systems built during a regular workday to simplify their daily activities. Remembering and recalling all the usernames and passwords associated with such systems can be daunting and contribute to a loss of productivity. Single Sign-On (SSO) is an Identity and Access Management (IAM) method that enables users to authenticate securely with different websites and applications, by signing in only once — with only one set of credentials. The app or website (which the user is attempting to access) relies on a trusted third party with a Single Sign-On solution to authenticate the users' identity. Why is SSO important today for Human Resource Organizations? 1. SSO Makes the HR System User-Friendly and Easy to Use SSO's greatest benefit is that users can switch between applications safely without having to specify their credentials time and again. SSO effectively incorporates individual s
Read more

Improve Security Posture With The Zero-Trust Security Model

-
Image
  There has been a sea change in how employees connect to and interact with the enterprise resources to get things done. The conventional network security model was programmed to connect staff to the data center's services they required. There were very few remote workers at the time and using an operationally complex VPN, they linked back to their home network. With the dramatic, unpredictable changes brought about by the pandemic, most workers now work remotely, and almost all businesses today use multiple public cloud services. Coupled with the security flaws associated with VPNs, these factors mean that the conventional model is no longer reliable. The Zero-Trust Security Model A critical weakness in the usage of remote access VPNs is that once users are authenticated, they are considered trustworthy and given complete access. As a consequence, once a hacker reaches the firewalls of an organization, with little resistance, if any, he/she can travel around the network. John Kind
Read more