Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

10:30 AM
Kelly Sheridan
Kelly Sheridan
Edge Features
Connect Directly

Learn SAML: The Language You Don't Know You're Already Speaking

Security Assertion Markup Language, a protocol most people use daily to log into applications, makes authentication easier for both admins and users. Here's what you need to know about SAML (and what it has to do with "GoldenSAML").

Security Assertion Markup Language (SAML): You may have heard of it. You've likely used it at least once today to log into a website portal or enterprise application. But what is SAML? How does it work? And why do you need to know about it?

(Source: Mykyta via Adobe Stock)
(Source: Mykyta via Adobe Stock)

What Is SAML?
SAML is an XML-based standard used to authenticate into Web applications like Box, Microsoft 365, Salesforce, and Gmail for Business. The protocol handles federation, identity management, and single sign-on (SSO). Identity federation enables user identities to be stored across apps and businesses; with SAML, these apps and businesses can trust each other's users.

Related Content:

More SolarWinds Attack Details Emerge

Special Report: Understanding Your Cyber Attackers

New From The Edge: Comparing Different AI Approaches to Email Security

What Problem Does It Solve?
Most apps have a database or Lightweight Directory Access Protocol (LDAP) to hold users' profile data and credentials, along with any additional data needed to verify a user. When someone signs in, this data store validates the credentials and logs them in. However, when a person has to log into multiple apps and each requires different credentials, it becomes an issue – for users who have to remember all their credentials, and for the admins who maintain and revoke them. Enter SAML.

SAML streamlines the authentication process for signing into SAML-supported websites and applications, and it's the most popular underlying protocol for Web-based SSO. An organization has one login page and can configure any Web app, or service provider (SP), supporting SAML so its users only have to authenticate once to log into all its Web apps (more on this process later).

The protocol has recently made headlines due to the "Golden SAML" attack vector, which was leveraged in the SolarWinds security incident. This technique enables the attacker to gain access to any service or asset that uses the SAML authentication standard. Its use in the wild underscores the importance of following best practices for privileged access management.

A need for a standard like SAML emerged in the late 1990s with the proliferation of merchant websites, says Thomas Hardjono, CTO of Connection Science and Engineering at the Massachusetts Institute of Technology and chair of OASIS Security Services, where the SAML protocol was developed. Each merchant wanted to own the authentication of each customer, which led to the issue of people maintaining usernames and passwords for dozens of accounts. 

"The whole password problem is a 30-year-old problem," Hardjono says. "The idea of SAML was, could we create a special entity, called the identity provider, that would essentially be the authentication entity?" 

Who Are These Identity Providers?
An identity provider (IdP) is tasked with verifying users' identities and communicating with the SP to log them in so they can access more resources with fewer logins. There are several IdPs in today's market: Okta, OneLogin, Microsoft Active Directory Federation Services, Duo Access Gateway, and Ping Identity are a few popular ones. SAML was needed to express that the IdP authenticated a user.

Hardjono calls the interaction among SP, IdP, and user "a triangular flow or relationship." Read on for more details on how this relationship works.

How Does SAML Work?
SAML works by allowing SPs, or applications, to delegate their authentication to a separate, dedicated service, or IdP.

SPs are configured to trust specific IdPs in the federation process. It doesn't matter to the AP how the IdP checks a user's identity; it only cares that the user is verified. The user only needs one username and password, which is managed by the identity provider.

John Maguire, senior software engineer at Duo Security, puts this into the context of logging into a conference call. An employee clicks the link to log into a Webex meeting. When they land on the Webex page, they're going to look up which IdP is used to authenticate — something the business has preconfigured, he adds.

Webex then redirects the user to their IdP, along with a message asking to authenticate them. The IdP has several methods for doing this: It could check a user's credentials and account status, the device used to access the application, or the network a user is on. It could invoke multifactor authentication. The user's employer configures the steps taken to verify their identity.

"Those all go into determination of either what level of authentication it should use — just first factor, first factor and second factor, [and] whether it should let you authenticate at all," Maguire adds. If an IdP notices the location is off, for example, it may deny a user's authentication. 

The IdP verifies this data and creates a message, or SAML assertion, which validates a user's identity and attributes, and uses cryptographic signing to prove their authenticity. The IdP then sends this data via browser redirects to Webex, which validates the signature and checks the user's identifying data before authenticating them into the application.

"All of this communication is actually passed back and forth using the user's browser," adds Jamie Pringle, also a senior software engineer with Duo Security. "The two sides never directly talk to each other." 

Oftentimes there will be multiple SPs configured to one IdP. In these cases, an authenticated user may see a dashboard with other service providers they can access for the following six hours — or however long the session is configured to last.

There are two types of workflows for SAML-based authentication. In an SP-initiated process, a user tries to log into a service provider's Web portal. Instead of requesting credentials, the site will redirect to its IdP with a SAML request for authentication. In an IdP-initiated process, the user logs into the IdP and is authenticated and then sent to the SP with a SAML assertion. Some SPs don't support an SP-initiated process. In this case, an IdP-initiated workflow is the only option.

How Do Businesses and Admins Benefit from SAML?
Since it was first developed, SAML has become the standard for Web-based single sign-on. It quickly caught on among businesses, who internally began to use the protocol for employees.

"As access management started gaining more relevance, because more and more companies were accessing applications outside their network … SAML became very important to the corporation and to the people who need to provide SSO," says Michael Kelley, senior research director in Gartner's Secure Business Enablement Group.

The benefits are clear for both users and admins. Individuals don't have to enter credentials into the application itself and undergo a more secure login process overall, explains Aaron Parecki, senior security strategist at Okta. Once they're authenticated, they can transfer back and forth between apps without the hurdle of logging in several times.

"This is a great way to have a more secure experience as a user because you only ever enter your credentials into the server that has your credentials — the place where the account lives," he says. "If you want to log into an application, you don't have to trust that the application is going to handle your credentials properly."

(Continued on page 2 of 2)

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
1 of 2

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Tim Morgan ecbftw
Tim Morgan ecbftw,
User Rank: Author
1/26/2021 | 9:10:19 PM
Nice overview of SAML
Great introductory guide in the context of recent events. It might be worth noting that many SAML implementations have been found badly vulnerable to attack in the past. This happens because SAML has redudancies in the message formats that are very easy for a programmer's code to misinterpret.  

Personally, I regard SAML as a particularly brittle protocol that can be made safe, but it is very common for vulnerabilities to show up in implementations.
Cartoon Caption Winner: Magic May
Flash Poll