How does SAML2 work at a high level?
SAML 2.0 (Security Assertion Markup Language 2.0) is an XML-based standard for exchanging authentication and authorization data between parties, commonly used in Single Sign-On (SSO) scenarios.
SAML 2.0 is widely used for cross-domain SSO in various scenarios, such as enterprise applications, cloud services, and federated identity systems. It enables seamless and secure user access across different systems without requiring users to remember multiple sets of credentials.
Key Concepts:
- Assertion: A SAML assertion is an XML document containing information about the user, their authentication status, and attributes. It is typically signed by the IdP to ensure its integrity.
- IdP: Identity Provider (IdP) is responsible for authenticating users and issuing SAML assertions.
- Metadata: Both the IdP and SP exchange metadata that describes their capabilities, endpoints, and public keys. This metadata exchange helps establish trust between parties.
- SAML Protocol: SAML 2.0 defines several profiles for different use cases, such as Web Browser SSO, Single Logout, and Enhanced Client or Proxy (ECP) profiles. Each profile specifies how SAML assertions and other elements are exchanged between the IdP and SP.
- SP: Service Provider (SP) is the application or resource that the user is trying to access. It relies on the SAML assertion to determine whether the user should be granted access.
At a high level, SAML 2.0 operates as follows:
- User Requests Access: A user tries to access a protected resource or application called the Service Provider (SP).
- SP Sends Authentication Request: The SP generates an authentication request and sends it to an Identity Provider (IdP). The IdP is responsible for authenticating the user.
- User Authentication: The IdP challenges the user for credentials (E.g., username & password) or may use other authentication methods like multi-factor authentication.
- IdP Issues SAML Assertion: Upon successful authentication, the IdP creates a SAML assertion. This assertion contains information about the user and their authentication status. It is digitally signed by the IdP to ensure its authenticity.
- SAML Response to SP: The IdP sends the SAML assertion back to the SP in a SAML response.
- SP Validates SAML Assertion: The SP validates the digital signature of the SAML assertion to ensure it comes from a trusted IdP. It may also check the expiration, issuer, and other attributes of the assertion.
- User Access Granted: If the SAML assertion is valid, the SP grants the user access to the requested resource or application without requiring them to log in again. This is the essence of Single Sign-On.
Orchestrator can be connected to any identity provider (IdP) that uses the SAML 2.0 standard. Review the relevant integration documentation below.