Single sign-in and then logging many applications; this is what SAML have, one-time authenticate with password and log-in many apps or service providers without a password. SAML is Security Assertion Markup Language. It is secure XML based communication mechanism for communicating identities between organizations. The primary use case of SAML is a standard for logging a user into applications according to their sessions in another service/app. So there is no need to re-type the password, to make several strong passwords, or even remember it. This is internet SSO (single sign-on). Since a number of web-based applications increases and organization would like to make easy and secure connectivity for their users, SAML is a good solution for them. There are three reasons that SAML SSO is very important:
SAML increase Security by eliminating additional credential which eliminating the opportunities for identity theft; it also eliminating fishing opportunity by eliminating a number of time the user needs to log in to the internet and using one of these username/pass login forms.
SAML also increase Application Access by eliminating a barrier to usage, so users no longer have to type a password. SAML decreases the Administration time and cost by eliminating the duplicate effort and maintenance of credentials and also eliminating the help desk call for reset the passwords.
There are three entities involve in SAML:
- User: the application user who need to be identified.
- IDP (Identification Provider): the organization that maintains the directory of users and identification mechanism.
- SP (Service Provider): the organization that hosts the target application/Service.
The user has an account in IDP, like an employee(user) and employer(IDP). The user wants to use a particular application. IDP and SP are related because they want to federate identity (customer/supplier relationship)
First of all, the user attempts to access the application. This can be done by clicking on an URL in a portal or directly going to the web application.
The federated identity software in IDP start to work, and it validates the user identity and makes sure the user correctly authenticated. Then it makes a specially formatted message and communicates it with the federated identity software running in the SP, this software determines the message came from a known user and IDP, and creates a session for the user in the application, and allows the user access to that application. All these processes are completely transparent from the user. All the users see, is that they click on the link and they log in to the application.
SAML is reusable. IDP can use the same software for an additional app who are SAML-enabled. It eliminates admin job and repetitive password typing, and users love it because they don’t need to type their credential for all applications.