Spec could be the backbone to interoperable online IDs
As businesses move data and applications to the Internet and the cloud, they need a way to authenticate users across a variety of domains and devices. But leaving the relative security of an organization’s internal servers brings with it vulnerabilities as services and access controls move outside of the protected domain.
Typically, user authentication involves the selection of a different user name and password combination for each application. The ever-growing list of log-ins hurts productivity and can become a nuisance to staff and clients. But it has an even more dangerous side.
According to Pam Dingle, senior technical architect with Ping Identity, roughly 75% of Internet users use the same password for multiple login situations. Hackers target small businesses and easy to hack websites in search of email and password information. After obtaining the login information from the easier to hack locations, they try all the combinations until they are granted access to more secure systems. This technique allows them to get around the larger, more advanced security systems.
The Security Assertions Markup Language (SAML) helps organizations address this security risk by eliminating the need for multiple log-ins and the need to store login information in the cloud.
OASIS, the organization that standardized SAML, defines it as an XML-based open standard, single sign-on solution. Essentially, single sign-on enables a user to provide an identity once and then use it for secure access to multiple applications across security domains and servers.
“Think of it like a passport for a traveler flying between countries,” Dingle describes. “Just like the passport, SAML provides identity information and is presented in a trusted format. The border agent believes in the identity of the person because they believe in the issuer of the passport. SAML works in a very similar way, where the receiving party trusts the issuing party.”
Fortune 1000 companies communicate with each other using SAML, as do companies that want employees to sign on to each other’s servers, Dingle says. For example, a health care benefits provider will use a SAML in partnership with a pharmacy so that aspects of the pharmacy website will be integrated into their own website. Instead of the user having to sign in to both websites, they need only sign in once.
Single sign-on is playing a much larger role in both business and consumer applications. SAML was created in 2002 and has become a leading single sign-on standard for business applications. It’s a well-tested standard with support from many companies.
Examining SAML at work
The specification has two major components: an identity provider and a service provider. A user will attempt to access a service provider with a user agent–typically a Web browser–at which point the service provider will send a SAML authentication request to the identity provider.
In a common use case, an individual clicks from within their internal domain to access an external cloud-based service. Instead of the browser taking them directly to the application, it redirects to an identity provider.
The identity provider is responsible for authenticating the user. This can be done through username/password or by way of a more advanced authentication technology, such as a smart card, one-time passcode or biometric. The identity provider validates the authentication request and creates a SAML assertion–a document that contains the user’s identity and attributes.
A digital signature is applied to the assertion and it is encrypted and sent to the service provider. The browser will then be redirected with the SAML document in the header. The service provider decrypts the assertion, makes an access control decision and then shares the information with the application.
After all of those security actions are complete, the user is taken to the application. All of these steps happen seamlessly behind the scenes. The user is unaware of the authenticating, packaging, un-packing and validating that occurs within seconds.
Components of SAML assertion
An assertion contains security information in the form of statements. There are three types of statements that an assertion will contain: authentication statements, attribute statements and authorization decision statements.
An authentication statement tells the service provider that the identity provider did in fact authenticate the user. The attribute statement is used to make fine-grained access-control decisions. The authorization decision statement states that the user is enabled to perform an action on a specific resource due to a given piece of evidence.
Single sign-on and the future of SAML
The current standard, SAML 2.0 is the third iteration. SAML 1.0 was originally developed by OASIS in 2002. A year later, OASIS made a small upgrade to create version 1.1. In 2005, SAML 1.1 was combined with the Liberty Alliance (now Kantara Initiative) Identity Federation Framework (ID-FF) and Shibboleth to form SAML 2.0.
SAML is primarily used in the corporate environment but there are other single-sign on standards–such as OpenID–for different situations. The use of SAML is catching on, even among those who were not originally on board. Previously, Microsoft’s Active Directory Federation Server did not support SAML, however, newer editions include its support.
According to Dingle, the current SAML 2.0 version will continue to be the standard for quite some time as no new version is on the horizon.