What is SAML?

What is SAML?

According to Wikipedia, SAML which is abbreviation of Security Assertion Markup Language is described as an open standard for exchanging authentication and authorization data between an identity provider and a service provider. Exchange of data is done by using XML-based protocol. Basic usage of SAML is for web-browser single sign-on (SSO). Usually, authentication within the same domain is relatively easy by using technologies such as sessions and cookies. However, since sessions cannot be used across different domains or servers while cross-domain cookies are very dangerous, authentication between different domains is difficult to achieve. SAML is an open standard to solve this problem.

When we say single sign-on using SAML means once the user is authenticated, the authentication information can be passed to different SaaS/cloud services.

SAML was originally built in 2001 by the OASIS Security Services Technical Committee (SSTC) to define an XML framework to exchange authentication and authorization. Then in 2005, SAML was versioned up to 2.0. Today, when we say SAML, it means SAML 2.0.

How does SAML work?

In order to understand SAML, first we need to understand identity provider(IdP) and service provider(SP). Identity provider(IdP) is the service which contains the information about the identity of the user. Service provider(SP) is the service which provides service to users using authenticated identity provided by identity provider.

Therefore, when a user wants to use a service which is provided by a service provider(SP), the user will try to sign-in to the service provider(SP). Then, the service provider(SP) will redirect requests to identity provider(IdP) and attempt to get authentication and authorization form identity provider(IdP). If the user is already authorized by identity provider(IdP), the identity provider(IdP) will send back a message that proves the user has been authorized with the identity provider(IdP) along with some identity information. The message acts as a proof that the identity provider (IdP) has already authorized the user, the service provider(SP) thus provides service to the user.

The benefit of SAML single sign-on for IT managers is that user data is managed by identity provider(IdP) so that in most of the cases, if the SaaS/cloud service provides Just-In-Time Provisioning (JIT Provisioning), the IT managers don't even need to add users before users use SaaS/cloud services. (However, maintaining users for each service is not covered by SAML.)

And with single sign-on, users need to remember only 1 set of identity and password so that users don't need to manage multiple passwords for different SaaS/cloud services.

How does HENNGE One work with SAML?

HENNGE One is a secure single sign-on solution which makes it possible to sign-in by digital certificates installed to devices and provides multi-factor authentication(MFA) using push authentication. Simply, HENNGE One will provide a far secure way to single sign-on compared to use of usual id and password.

Today, many SaaS providers are supporting the SAML protocol. Therefore, by using HENNGE One, the user can set single sign-on easily for major SaaS such as Salesforce, Zoom, Adobe Creative Cloud, AWS, Dropbox, DocuSign, Zendesk, Netskope, etc. Plus, since SAML is an open standard, users can modify their own application to support SAML and can have a secure single sign-on feature by using HENNGE One.