We here at the Solutions Review Cybersecurity Desk do our best to cut through security technical jargon: explain it, simplify it, or work through it to better illustrate the threat landscape and solution capabilities. We want to present the information in a clear and engaging voice for businesses.
However, this is not always possible. Attempting to simplify certain technical terms, especially in identity and access management (IAM), can impede careful and accurate solution decision-making for enterprises. When this occurs, only by exploring the term—and the technology behind it—can decision-makers gain the clarity they need in IAM.
Security Assertion Markup Language—SAML—is one of these terms.
What is SAML? How does it function, and why should your enterprise care? To give you a crash course in this confusing yet essential terminology, we read through “SAML 101,” a whitepaper by IAM and identity governance solution provider Ping Identity.
Here’s what we learned:
The Context for SAML and Federation
Applications have become an essential part of enterprises’ digital workplaces, whether they operate on-premises or remotely via the cloud. Applications have allowed for great productivity and communication than ever considered possible before.
To meet with the demands of modern businesses, applications’ hosting systems have evolved. They need to be available and accessible regardless of employees’ physical location or device.
However, what has not changed are the access demands these applications place upon enterprises. Applications operating on different security domains or outside the network firewall requires their own log-ins each time they are accessed. Each time, this requires time and energy to find and enter the password—compounded by the number of requests encountered each day.
Furthermore, each has its own password and account demands, which only compounds the significant password issues enterprises continue to deal with today.
We here at Solutions Review have covered some of these password issues in some detail in the past. Forcing your users to remember dozens if not hundreds of user accounts and passwords can lead to its own security vulnerabilities. Users often respond to password demands by picking incredibly simple passwords (“password123” is still in common use) or using a repeated password (which increases the chances of successful credential stuffing utilizing previously stolen passwords). It can also prompt users to write down their passwords in a physical location, a different kind of vulnerability.
SAML and Identity Federation
In this context, identity federation and single sign-on are necessary for enterprises to provide access to all web applications in a scalable and cost-effective manner. Single sign-on allows users to input their credentials once and have it apply to all relevant applications.
More specifically, federated identity uses single sign-on to establish employee and user identity, and then—as the user attempt to access applications—the solution transparently and securely shares their credentials with the application. This allows users and employees to skip the usual log-in step and enjoy a seamless digital workplace experience.
SAML is part of this standards-based identity federation. SAML alleviates log-in issues by enabling single sign-on and the secure exchange of authentication and authorization information between security domains.
At its most basic, when a user attempts to access a service provider with an identity federation solution, the federation software creates a SAML authentication request and delivers it to the appropriate identity provider. The identity provider authenticates the user and creates its own SAML assertion representing the user identity and attributes. This is transmitted to the security provider, which shares the relevant information with the desired application to gain access.
There is far more to SAML than that, including distinct use cases and relationships with WS-Trust, OAuth 2.0, and OpenID Connect. To learn about SAML and standards-based identity federation in more detail, you can read the “SAML 101” white paper provided for free courtesy of Ping Identity.
Latest posts by Ben Canner (see all)
- Experts Comment: 21 Million Passwords, 773 Million Emails Breached via “Collection #1” - January 17, 2019
- Experts Weigh In: The Oklahoma Securities Commission Breach - January 17, 2019
- Want Better Identity Management? Remove your Orphaned Accounts - January 15, 2019