Understanding SAML 2.0 for CISSP Exam

SAML enables SSO capability between systems over the web-based scenarios where a user accesses applications or services via web browsers.

Understanding SAML 2.0 for CISSP Exam


SAML enables SSO capability between systems over the web-based scenarios where a user accesses applications or services via web browsers. SAML 2.0 supports different types of authentication mechanisms, including username/password, X.509 certificates, and Kerberos. Let's understand more about this from a CISSP Exam perspective. 

How does it works?

1. Users request access to a service provider (SP) application.

2. SAML Request: The SP detects that the user is not authenticated and sends an SAML authentication request to the User browser (transparent of the user)

3. User browser redirects the request to identity provider (IdP).

4. The IdP prompts the user to authenticate by providing a username and password, or by other means such as multi-factor authentication (if user is not authenticated already)

5. SAML Response: Once authenticated, the IdP generates an SAML assertion (digitally signed token) that contains information about the user's identity and attributes and sends back to the user browse

6. User browser forwards IdP provided SAML assertion to the SP

7. The SP verifies the digital signature on the SAML assertion and checks that it is issued by a trusted IdP. The SP also checks that the user has the necessary permissions to access the requested resource.

8. If the SAML assertion is valid and the user is authorized, the SP grants access to the requested resource.


Understanding SAML 3.0 for CISSP Exam



Amazing, but what are SAML Assertions?

SAML Assertions are XML-formatted statements exchanged between the IdP and SP that contain information about a user's authentication and authorization. When an assertion is sent from IdP to the SP, they are digitally signed and encrypted. This IdP digital Signatures provides assurance to the SP, that the assertion is actually coming from the IdP. 


There are 3 types of assertions:

  • Authentication AssertionsContains parameters related to authentication.
  • Attribute Assertions: Contains user information like name, role, email, group membership etc.
  • Authorization Decision Assertions: Contains information on what the user is allowed to access.


SAML Bindings, why is it so twisted?

No Worries let's see what SAML Bindings are. 

Bindings are basically rules which dictate how the SAML messages are formatted, encoded, and transported between entities during an SAML authentication. Few most common SAML bindings are as below:

  • HTTP POST binding: SAML messages are transmitted within the body of the request using the HTTP POST method.
  • HTTP Redirect binding: SAML messages are embedded and transmitted within the URL query parameters through the HTTP GET method.
  • SOAP binding: SAML messages are encapsulated (packed) within Simple Object Access Protocol (SOAP) for communications through SOAP API.
  • Artifact binding: Instead of directly transmitted SAML messages, the method exchange identifiers (reference). These artifacts are then used by the other party to fetch the SAML messages.


Security recommendations for SAML based SSO

    Configuring SAML properly is the most important task. Any misconfiguration may lead to undesired circumstances. Few short and crisp considerations are listed below: 

    • Ensure SAML Configuration is tightly configured to validate the SAML messages, robust encryption, and proper assertion handling.
    • Use HTTPS to prevent any Man-in-the-Middle (MitM) attacks.
    • Ensure Assertions are encrypted to prevent any tempering during the authentication process.
    • Ensure the IdP is fortified, else attackers can compromise the IdP and compromise the SPs.


Conclusion 

In the realm of CISSP, comprehending the intricacies of SAML 2.0 is indispensable for professionals venturing into the dynamic landscape of web-based authentication.

SAML 2.0 is still the workhorse for most of the SSO implementation in companies. However, every good thing comes with some overhead. As SAML is based on XML standard and as and when an authentication is initiated, the data and attributes need to be converted in XML format which is called as parsing. This can lead to processing overhead and slow down the entire authentication process. SAML has been there in picture for decades and will still remain as the mainstream SSO protocol, however there are new players in market like OAuth and OpenID connect which are much more lightweight and are being preferred by organizations across the globe. Whatsoever, SAML 2.0 will still keep growing and keep serving the IAM community. We keep hosting such interesting articles and if you are interested to nail CISSP in 100 Days, do not miss out to visit CISSP Success Toolkit program


 

Categories: CISSP