Before understanding SAML authentications working we need to know what is SAML
What is SAML?
Before jumping into the technical jargon, let's look at an example that demonstrates what SAML is and why it's beneficial.
You just started working at a new company, Systools. They've given you a work email address and access to a dashboard. Once you sign in to this dashboard, you're presented with the icons of all of the external services the company uses:
Freshdesk, Zoho, Google Workspace, Office365, Zoho, Jira, AWS, and many more.
You click on the Zoho icon, some magic happens in the background, and before you know it, you're signed into Zoho without ever entering any credentials!
Here, the "magic" was actually SAML in action.
SAML stands for Security Assertion Markup Language. It is an XML-based open-standard for transferring identity data between two parties: an identity provider (IdP) and a service provider (SP).
Identity Provider — Performs authentication and passes the user's identity and authorization level to the service provider.
Service Provider — Trusts the identity provider and authorizes the given user to access the requested resource.
In the scenario above, the identity provider would be the IdP that Systools uses, CloudCodes. The service provider would be Zoho. The Systools employee signs into the Systools dashboard with CloudCodes. They click on the Zoho icon, and Zoho recognizes that the user wants to log in via SAML.
Zoho sends the employee back to CloudCodes with a SAML Request that asks CloudCodes to authenticate the user. Since the employee has already authenticated with CloudCodes, CloudCodes verifies the session and sends the user back to Zoho with a SAML Response. Zoho checks this response, and if it looks good, the employee is granted access!
Benefits of SAML Authentication
- Improved User Experience: Users only need to sign in one time to access multiple service providers.
- Increased Security: SAML provides a single point of authentication, which happens at a secure identity provider, SAML provider can apply context-based policies to access applications.
- Loose Coupling of Directories: SAML doesn't require user information to be maintained and synchronized between directories.
- Reduced Costs for Service Providers: With SAML, you don't have to maintain account information across multiple services. The identity provider bears this burden.
How does SAML Authentication Work?
SAML single sign-on authentication typically involves a service provider and an identity provider. The process flow usually involves the trust establishment and authentication flow stages.
Let's take one example:
- Our identity provider is CloudCodes
- Our service provider is Freshdesk
Now, a user is trying to gain access to Freshdesk using SAML authentication.
This is the process flow:
- The user tries to log in to Freshdesk from a browser.
- Freshdesk responds by generating a SAML request
- The browser redirects the user to an SSO URL, I.e. CloudCodes
- CloudCodes parses the SAML request and authenticates the user. This could be with username and password or even social login.
If the user is already authenticated on CloudCodes, this step will be skipped. Once the user is authenticated, CloudCodes generates a SAML response.
- CloudCodes returns the encoded SAML response to the browser.
- The browser sends the SAML response to Freshdesk for verification.
- If the verification is successful, the user will be logged in to Freshdesk and granted access to the resources that they are authorized to view/modify.
SAML Process Flow diagram as below:
Note the attributes in the SAML request and response. Here's a glossary of these parameters:
- ID: Newly generated number for identification
- IssueInstant: Timestamp to indicate the time it was generated
- AssertionConsumerServiceURL: The SAML URL interface of the service provider, where the Identity provider sends the authentication token.
- Issuer URL: The EntityID (unique identifier) of the identity provider
- NameID (Custom URL): The Application URL (unique identifier) of the service provider
- Audience (SP EntityID): The EntityID (unique identifier) of the service provider
- Recipient (SP Assertion): The EntityID (unique identifier) of the service provider
SAML Authentication with CloudCodes
When it comes to implementing SAML, CloudCodes is extremely extensible and becomes identity provider, Service provider or both.