Single Sign-On & Two-Factor Authentication with Security Assertion Markup Language (SSO & 2fa w/ SAML)
There’s often a lack of familiarity in organizations when it comes to understanding what SAML is, and even more uncertainty of how it works.
Security Assertion Markup Language (or SAML) is a protocol which provides a way to authenticate users. SAML provides a way to authenticate users to third-party web apps, by redirecting the user’s browser to a company login page, then after successful authentication on that login page, redirecting the user’s browser back to that third-party web app where they have been granted access.
The single most important use case that SAML addresses is web browser Single Sign-On (SSO). SSO is relatively easy to accomplish within a security domain (using cookies, for example) but extending SSO across security domains is more difficult and resulted in the proliferation of non-interoperable proprietary technologies.
This complex SSO implementation allows for seamless authentication between businesses and enterprises. SAML allows these federated apps and organizations to communicate and trust one another’s users.
SAML: What is it?
The SAML specification defines three roles:
- The Principal
- The Identity Provider
- The Service Provider
Primarily, the principal requests a service from the service provider. The service provider requests and obtains an authentication assertion from the identity provider. On the basis of this assertion, the service provider can make an access control decision, that is, it can decide whether to perform the service for the connected principal.
The identity partner may request some information from the principal—such as a user name and password—in order to authenticate it. SAML specifies the content of the assertion that is passed from the identity partner to the service provider.
SAML is most frequently the underlying protocol that makes web-based SSO possible. A company maintains a single login page – behind it an identity store and various authentication rules – and can easily configure any web app that supports SAML, allowing their users to log in all web apps from the same login screen with a single password. It also has the security benefit of neither forcing users to maintain (and potentially reuse) passwords for every web app they need access to, nor exposing passwords to those web apps.
Single sign-on is a property of access control, an authentication process that allows a user to access multiple applications with one set of login credentials.
With this property, a user logs in with a single ID and password to gain access to a connected system or accomplished using the Lightweight Directory Access Protocol (LDAP) and stored LDAP databases on (directory) servers.
With SSO, a user logs in once and gains access to different applications, without the need to re-enter log-in credentials at each application. With one security token (a username and password pair), you can enable and disable user access to multiple systems, platforms, apps and other resources, reducing the risk of lost, forgotten or weak passwords.
Implemented correctly, SSO can be great for productivity, IT monitoring and management, and security control. When it comes to providing the most simple, secure experience across all channels, single sign-on goes a long way toward reducing frustration while also decreasing the chance of a security breach.
The biggest advantage of SSO is arguably the scalability it provides. Automated credentials management means that the sysadmin is no longer required to manually take care of all the employees’ access to the services they want. This in turn reduces the human error factor and frees up IT time to focus on more important tasks.
Two-factor authentication (2fa) is a method of confirming a user’s claimed identity by utilizing something they know (password) and a second factor other than something they have or something they are. Access is only granted after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge, possession, and inherence.
A good example of 2fa is the withdrawing of money from an ATM; only the correct combination of a bank card (possession) and a PIN (knowledge) allows the transaction to be carried out.
Two other examples are to supplement a user-controlled password with a one-time password (OTP) or code generated or received by a device (e.g. a security token or smartphone) that only the user possesses.
Benefits of SAML
- Platform neutrality: SAML abstracts the security framework away from platform architectures and particular vendor implementations. Making security more independent of application logic is an important tenet of Service-Oriented Architecture.
- Loose coupling of directories: SAML does not require user information to be maintained and synchronized between directories.
- Improved online experience for end users: SAML enables SSO by allowing users to authenticate at an identity provider and then access service providers without additional authentication. In addition, identity federation (linking of multiple identities) with SAML allows for a better-customized user experience at each service while promoting privacy.
- Reduced administrative costs for service providers: Using SAML to ‘reuse’ a single act of authentication (such as logging in with a username and password) multiple times across multiple services can reduce the cost of maintaining account information. This burden is transferred to the identity provider.
- Risk transference: SAML can act to push responsibility for proper management of identities to the identity provider, which is more often compatible with its business model than that of a service provider.
Benefits of using single sign-on include:
- Mitigate risk for access to 3rd-party sites (user passwords not stored or managed externally)
- Reduce password fatigue from different username and password combinations
- Reduce time spent re-entering passwords for the same identity
- Reduce IT costs due to lower number of IT help desk calls about passwords.
- SSO shares centralized authentication servers that all other applications and systems use for authentication purposes and combines this with techniques to ensure that users do not have to actively enter their credentials more than once.