What is Security Assertion Markup Language (SAML)?
Understanding SAML
Security Assertion Markup Language (SAML) is an open federation standard that allows an identity provider (IdP) to authenticate users and then pass an authentication token to another application known as a service provider (SP). SAML enables the SP to operate without having to perform its own authentication and pass the identity to integrate internal and external users. It allows security credentials to be shared with a SP across a network, typically an application or service. SAML enables secure, cross-domain communication between public cloud and other SAML-enabled systems, as well as a selected number of other identity management systems located on-premises or in a different cloud. With SAML, you can enable a single sign-on (SSO) experience for your users across any two applications that support SAML protocol and services, allowing a SSO to perform several security functions on behalf of one or more applications.
SAML relates to the XML variant language used to encode this information and can also cover various protocol messages and profiles that make up part of the standard.
Two primary security functions of SAML
Explore how Oracle uses SAML to increase security with a single click.
Learn about utilizing SAML from on-premises to the cloud.
How does SAML work?
SAML works by passing information about users, logins, and attributes between the identity provider and SP. Each user authenticates once to an IdP and can then seamlessly extend their authentication session to potentially numerous applications. The IdP passes what’s known as a SAML assertion to the SP when the user attempts to access those services. The SP requests the authorization and authentication from the identify.
SAML example:
- Login and access the SSO authentication.
- Export metadata from your identity provider and import it.
- Identity system will understand more about the SSO identity provider to export metadata from the identity system.
- Provide the metadata to your SSO identity provider team.
- Test and enable SSO.
- It’s suggested that users only login with their SSO credentials.
Who is a SAML provider?
A SAML provider is a system that helps users obtain access to a service needed. SAML transfers identity data between two parties, an IdP and a SP. There are two main types of SAML providers:
Identity provider (IdP)—performs authentication and passes the user's identity and authorization level to the service provider (SP). The IdP has authenticated the user while the SP allows access based on the response provided by the IdP.
Service provider (SP)—trusts the IdP and authorizes the given user to access the requested resource. A SP requires the authentication from the IdP to grant authorization to the user and since both of systems share the same language, the user only needs to log in once.
What is a SAML assertion?
A SAML Assertion is a XML document that the identity provider sends to the SP containing the user authorization status. The three distinct types of SAML Assertions are authentication, attribute, and authorization decisions.
- Authentication assertions help verify the identification of a user and provide the time a user logs in and which method of authentication is used (for example, password, MFA, Kerbeos, etc.)
- The assigned assertion passes the SAML token to the SP. The attribute used by SAML to identify the user is assumed to be the same in both the IdP and SP directory. SAML attributes are specific pieces of data that provide information about the user
- An authorization decision assertion states if a user is authorized to use a service or if the identity provider had denied the request due to a password failure or lack of rights to a service
SAML and OAuth use cases
SAML is primarily used to enable web browser single sign-on (SSO). The user experience objective for SSO is to allow a user to authenticate once and gain access to separately secured systems without resubmitting credentials. The security objective is to ensure the authentication requirements are met at each security perimeter.
- Manage identities in the cloud and on-premises. Enable a unified approach to identity and access management with cloud-based workflows, simplified user provisioning, and user self-service. Open standards integration reduces overhead and maintenance providing simplified user provisioning and management in the cloud and on premises
- Streamline identity tasks. Reduces the need for repetitive user, role, and group changes across multiple environments. This provides an identity bridge that synchronizes identity entitlements across on-premises and cloud services
- Zero-trust strategy. Enforce access policies using cloud-based service for single sign-on (SSO), strong password enforcement, and multifactor authentication (MFA). With adaptive authentication, risk is reduced by increasing login requirements when user access is deemed high-risk based on device, location, or activity
- Manage consumer digital access. Enrich consumer access experience with self-service user interfaces and brand-customizable login screens. The flexible customer access enablement helps integrate third-party services and custom applications using REST APIs and standards-based integration
Optimizing the user login experience
User experience is extremely important for any application and it must start from the initial moment a user interacts with it. The first activity is generally the login process. If this operation is cumbersome or unintuitive it can diminish the overall experience of using the application. Oracle Identity Cloud Service (IDCS) manages user access and entitlements across a wide range of cloud and on-premises applications and services using a cloud-native, identity as a service (IDaaS) platform acting as the front door into Oracle Cloud for external identities. With this, organizations can enable a zero-trust strategy and establish user identity management as a new security perimeter.