What is SAML? With the general shift of IT towards the cloud and SaaS-delivered applications, SAML is becoming a hot topic. Let’s explore SAML, how it works, its history and benefits, and how you can use it.
What is SAML?
The Security Assertion Markup Language (SAML) protocol is the go to for many web application single sign-on (SSO) providers. SAML utilizes Extensible Markup Language (XML) certificates to assert user authentications from an identity provider (IdP) to a service provider (SP) or application. There’s certainly a lot of acronyms, but they will make more sense as we dive into how SAML works.
How SAML Works
The process goes something like this. When a user wants to access a web application, they first visit the service via an ‘agent’, which nearly always is a standard web browser like Chrome, Firefox, Safari, or Internet Explorer/Edge. The agent then attempts to request access from the SP, i.e., log in to the app.
The SP has been administratively set to defer its authentication to a specific source of authentication—the IdP. Login is then effectively re-directed via the internet (and through the browser) to request an authentication to verify the user’s identity. This can actually behave for the user as a redirection to another website that contains a simple user interface containing a username/email and password field.
The user will enter their credentials, and the IdP will verify them. Upon successful verification, the IdP will generate an XML-based certificate, referred to as an assertion. This means the IdP is generating a figurative “hall pass”, claiming it knows the user and they may gain entrance to the app. This certificate is relayed back to the user’s browser and then on to the service provider, redirecting the page back to the service so it can ingest the “hall pass” and then allow the user entrance. When broken down visually, the following diagram demonstrates the basic steps of this transaction:
The History of SAML
SAML was created by the Organization for the Advancement of Structured Information Standards (OASIS) in late 2002. By that time, the traditional Microsoft IdP, Active Directory, was hitting its stride, becoming one of the most widely used directory services in the world. Its dominance made sense; nearly every office was based around on-prem, Windows systems and applications, so managing them using a solution created to do just that was simply ideal.
Just before the conception of SAML, however, another innovation hit the IT scene in a major way: web-based SaaS applications. While they offered great boons by way of accessibility, collaboration, and productivity, SaaS apps had a great drawback as well. The main form of user identity and access management for IT admins, Active Directory (AD), worked best with on-prem applications. So, SAML was created to help bridge that growing gap between AD and the expansive possibilities of the cloud.
Benefits of SAML
Besides the obvious one above, there are several other benefits to using SAML. One such benefit is that, because the process uses secure XML communication via SAML directly between the SP and IdP, end users do not need to remember all of the passwords need to access their various web apps. This means that end users only need a single set of credentials to access their applications. They can simply create a single, strong password to secure their IdP credentials while not having to worry about keeping their web app passwords written out in a document or on a sticky note attached to their monitor.
With only one password to worry about for web applications, IT admins generally experience a reduction in password-related help desk tickets. SSO also reduces the risks of shadow IT, that is, users managing their own access to applications under IT’s radar. End users, having to only worry about a single password, experience less password fatigue with SSO as well.
The Underlying Question
While SAML brings many useful perks, looking at modern SSO solutions begs the question, “can using SAML alone really be called single sign-on?” After all, with the traditional addition of the SAML SSO model to user management, users still need to sign in to systems, networks, infrastructure, etc. and their SSO provider in order to access their resources. That’s a handful of passwords still required, which doesn’t really sound like a single sign-on at all.
True Single Sign-On™ would extend beyond simply SAML, using an array of other protocols and authentication methods to extend one set of user credentials to virtually all resources. Thankfully, a next-generation cloud directory service is providing this True SSO experience for modern IT organizations.
True SSO with SAML and More From the Cloud
JumpCloud® Directory-as-a-Service® enables IT admins to manage their users and their access to systems, applications, networks, infrastructure, file servers, and more, all using a single set of credentials. As a cloud IdP, JumpCloud has reimagined AD + SSO for the modern era, providing practically all of the same capabilities and many others, all from a single cloud admin console.
JumpCloud leverages SAML, along with LDAP and RADIUS, to provide a True SSO experience, meaning IT organizations can use one comprehensive solution instead of a host of others. Beyond that, IT admins can also use JumpCloud to implement security policies, such as multi-factor authentication (MFA), password complexity, and more across their organization at scale.
Try JumpCloud Free
You can experience True SSO with SAML, LDAP, RADIUS, and more yourself, just by simply signing up for JumpCloud. Your JumpCloud account automatically includes ten users in the platform that you can leverage forever, and is absolutely free, no credit card required.
Want to dip a toe in before jumping right in? We also offer free, personalized demos of the platform to show you the ropes before you try JumpCloud for yourself. Please contact us if you would like to learn more.