What is SAML

SAML is a protocol that defines some standard entities whose names get tossed around (SP, IdP, etc).

Generally, a user is looking to use “something” (gmail) so they will type in the address of the service ‘provider’ (gmail.com).
Each service provider will have a security policy that they define/control,  in things like gmail it takes the form of “you must be identified to access this service”. If the SP receives a request that has not yet had identity confirmation provided, the SP has to involve other parties as it purely provides a service, not identification
In a SAML based authentication, the service provider does not do the authentication/identification themselves, but it must know ahead of time who they are willing to trust to perform that task.  Each service provider must have at least 1 identity provider (can theoretically have N if they configure it that way) that they trust to guarantee the identity of someone
IdP’s generally use usernames and passwords (or perhaps user/pass/2 factor code a la google accounts) to confirm who a user is and then create a time limited statement of identity confirmation (this is the SAML assertion) must be digitally signed to prevent tampering.
The Service provider receives the assertion and verifies that it came from a trusted IdP (this is why certificates have to be passed around and configured, which is a bit of a pain,  but without them, there is no way to validate who signed what).  Assuming all is good and the user came back from the IdP with a good assertion signed by the IdP’s known certificate,  the SP allows them access (this is the point at which html/js/image/etc resources typically start loading.
For the gmail example,  when you type in gmail.com,  if you’re not logged in,  you get redirected to google accounts where you provide your username/password2 factor code,  and if you get it all right,  you get sent back to the gmail site, it’s at this point that you see the gmail ‘loading’ initial screen and then the full gmail app comes up.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: