SAML enables SSO capability between systems over the web-based scenarios where a user accesses applications or services via web browsers.
SAML enables SSO capability between systems over the web-based scenarios where a user accesses applications or services via web browsers. SAML 2.0 supports different types of authentication mechanisms, including username/password, X.509 certificates, and Kerberos. Let's understand more about this from a CISSP Exam perspective.
1. Users request access to a service provider (SP) application.
2. SAML Request: The SP detects that the user is not authenticated and sends an SAML authentication request to the User browser (transparent of the user)
3. User browser redirects the request to identity provider (IdP).
4. The IdP prompts the user to authenticate by providing a username and password, or by other means such as multi-factor authentication (if user is not authenticated already)
5. SAML Response: Once authenticated, the IdP generates an SAML assertion (digitally signed token) that contains information about the user's identity and attributes and sends back to the user browse
6. User browser forwards IdP provided SAML assertion to the SP
7. The SP verifies the digital signature on the SAML assertion and checks that it is issued by a trusted IdP. The SP also checks that the user has the necessary permissions to access the requested resource.
8. If the SAML assertion is valid and the user is authorized, the SP grants access to the requested resource.
SAML Assertions are XML-formatted statements exchanged between the IdP and SP that contain information about a user's authentication and authorization. When an assertion is sent from IdP to the SP, they are digitally signed and encrypted. This IdP digital Signatures provides assurance to the SP, that the assertion is actually coming from the IdP.
There are 3 types of assertions:
No Worries let's see what SAML Bindings are.
Bindings are basically rules which dictate how the SAML messages are formatted, encoded, and transported between entities during an SAML authentication. Few most common SAML bindings are as below:
Configuring SAML properly is the most important task. Any misconfiguration may lead to undesired circumstances. Few short and crisp considerations are listed below:
In the realm of CISSP, comprehending the intricacies of SAML 2.0 is indispensable for professionals venturing into the dynamic landscape of web-based authentication.
SAML 2.0 is still the workhorse for most of the SSO implementation in companies. However, every good thing comes with some overhead. As SAML is based on XML standard and as and when an authentication is initiated, the data and attributes need to be converted in XML format which is called as parsing. This can lead to processing overhead and slow down the entire authentication process. SAML has been there in picture for decades and will still remain as the mainstream SSO protocol, however there are new players in market like OAuth and OpenID connect which are much more lightweight and are being preferred by organizations across the globe. Whatsoever, SAML 2.0 will still keep growing and keep serving the IAM community. We keep hosting such interesting articles and if you are interested to nail CISSP in 100 Days, do not miss out to visit CISSP Success Toolkit program.