SAML Authentication
SAML Authentication
What is SAML Authentication?
Security Assertion Markup Language (SAML) is a standard method to tell external apps and services that a user is the same person as he claims to be. With SAML, single sign-on (SSO) is possible as it provides a way to authenticate the user once and communicates that authentication to multiple other apps. The latest version of SAML is SAML 2.0.
Let us understand with a simple example. You just joined a new company, ABC. The company has given you a work email address and access to a dashboard. When you sign in to this dashboard with your credentials, you see all the icons of external services the company is using in the dashboard- Google Apps, AWS, Salesforce, Azure office 365, Jira, and more.
You just click on the AWS icon, and you are signed into AWS without ever entering any credentials. Wow Magic!!
This is where SAML comes into action, and users do not have to authenticate themselves every time.
SAML is an XML-based open standard for transferring identity data between an identity provider (IdP) and a service provider (SP).
Identity Provider — Provides authentication and passes the user’s identity and authorization level to the service provider.
Service Provider — Trusts the identity provider and authorizes the given user to access the requested resource.
In the above example, the identity provider would be the IdP that company ABC uses, i.e. WebADM from RCDevs. The service provider would be AWS.
SAML Authentication Workflow
Let us dive into the technicality of how SAML works. For authentication using SAML protocol, generally, the user follows the below procedure:
1)User, through a web browser, requests access to the secured application/SP.
2)The service provider redirects to a specific Identity provider (registered with the Service Provider) for authentication with SAML Authentication request.
3)Browser makes authentication requests to the registered Identity Provider. The IdP validates the SAML request and gives the user/ browser a login form.
4)Upon successful credential check/ or authentication, the identity provider will generate an XML-based assertion verifying the user’s identity and will relay this to the browser.
5)Browser passes the XML insertion to the Service Provider, setting up cookies in the browser.
6)The user/ browser gets the access as it is authenticated now.
5 Benefits of SAML Single Sign- On (SSO) in the Enterprise
1)Platform Unbiased
SAML standard layout is developed to interoperate with any system independent of execution. It abstracts the security framework away from the platform architecture and any specific vendor approaches. Thus, there is a more open approach to architecture and identity federation.
2) Better Security
SAML provides a single point of authentication that takes place at the identity provider. It ensures that the credentials are only sent to the IdP directly from the Service Provider.
3)User Experience Enhanced
Individuals are just required to sign in once to get access to several service providers. This enables a much faster authentication process and much less expectation of the user to remember multiple login credentials for every single application. In the scenario above, that user could have clicked any of the various icons in his dashboard and been immediately logged in without entering additional credentials.
4)Reduced Costs for Service Providers
With SAML, you don’t have to maintain account information across multiple services. The identity provider bears this burden.
5)Loose Coupling of Directories
SAML does not need user data to be maintained and synchronized between directories.
SAML Authentication with RCDevs Security Solution
When it comes to implementing SAML, RCDevs’ WebADM is the Identity Provider (IDP), which works with different Service Providers (SP) in OpenOTP for authentication processes.
Download and configure WebADM for free.
The installation of SAML IdP is straightforward and only consists of running the self-installer and configuring the application in WebADM.
First, the SAML clients (Service Providers) need to know about the SAML IdP endpoints. Most clients will accept the auto-configuration with an XML-based metadata URL.
You will find client configurations like:
- The SAML entityID of the IdP.
- The SAML server certificate.
- The SingleSignOnService URL.
- The SingleLogoutService URL.
The following image shows a list of the service providers RCDevs supports but this is not an exhaustive list, all applications supporting SAML 2 authentication are supported by RCDevs IDP. You also have the option of configuring a custom service provider in the dashboard.
For example, let us configure WebADM to manage authentications with Amazon Web Service (AWS) but you can follow along with any SP of your choice.
SAML Authentication on AWS
In the AWS console, we add WebADM i.e. the IdP.
Then we create roles and select our SAML provider
We select a permission policy and add names to create roles.
Once this is done, we need to activate IdP initiated authentication for AWS.
Configure WebADM IDP for AWS
We open the configuration in WebADM GUI and enable the application SSO and AmazonWS.
We select the test user and click on WebADM settings. We select OpenID, add AWS Role Names and Apply. We can also add the AWS role to an LDAP group(s) in order to allow users belong specific group(s) to access the AWS role.
Testing
To test, open the web application and Login with the user:
Select Application SSO, click on Amazon AWS.
That’s it, we are now connected to AWS.
Compared to other SAML implementations, the RCDevs’ SSO solution is very easy to implement: Provided that you already have a working WebADM server with OpenOTP and/or TiQR, the setup just consists of adding the OpenID/SAML WebApp in WebADM.
Check RCDevs’ documentation for more details.
More RCDevs’ SAML Configuration:
SP- initiated SAML Authentication
SAML Authentication for Apache Guacamole
SAML Authentication for GitLab