Introduction to SAML
Every day we use different service providers for different applications. For blogs we use Medium, For docs, we use Google Docs to watch a video Youtube. There are plenty of service providers over the internet to provide different services. But there is something that is common for all of them. That is logging in before continuing.
For logging in to a service we usually use login credentials. Username and Password. What if we had separate credentials for each of the service providers. In the security point of view that is great. But in usability, it creates lots of issues. You will have to remember them all, Manage them all or else use the same credentials for all. Here the concept called Single Sign-On comes in.
When Implementing Single Sign-On the applications should communicate in a trustful and secure way. This is where the SAML(Security Assertion Markup Language) comes into the play.
So let's get to know about the entities that communicate using SAML.
- Identity Provider
- Service Provider
Identity Providers are capable of managing, maintain and creating identity information. For example, Facebook is an identity provider. Service Providers are entities that provide web services. There can be many examples but the medium is one of the examples for a service provider. These service providers do not keep identity information. Instead, they trust some identity provider and receive identity information from them to authenticate the user. This information is passed using SAML. SAML use XML documents to do this. These documents are called SAML Assertions. There are three types of SAML assertions.
- Authentication
- Attribute
- Authorization decision
These assertions are used to prove the identification of the user, Carry information about the user and to say whether IDP accepted or denied the request.
There are two sign-in flows in SAML.
Service Provider Initiated
Identity Provider Initiated
There are few differences between these two flows
If you are interested in SAML and want to try I recommend to WSO2 Identity Server as the IDP. It provides you sample service providers also to try out the flow.
