Security Assertion Mark Up Language or SAML is a mark up language for authentication and authorization between two parties (Identity provider and Service provider ). One of the major use case for SAML is Single Sign On where once user signs in to one system, need not login to other system by entering credentials if both the system identifies and to authorize the user to access the resource.
Identity Provider(IDP) provides the authentication mechanism . It can be a LDAP server or a simple database which does an authentication. SAML does not provide any method of authentication in IDP. It can use username password or some other means of authenticating .
Service Provider(SP) does the authorization by assertion . Before describing the job of SP, it is important to describe what SAML assertion means .
SAML assertion is a xml format that is being sent from IDP to SP after authentication. It contains few major parameters like subject, conditions, authentication statement and attribute statement.
- Subject will have the NameID if it is a successful assertion.
- Conditions will have the validity and authorization restrictions.
- Authentication statement will have SAML authentication token which signifies that the user is authenticated by IDP.
- Attribute statement will have various other attributes of the Subjects .
How does SAML response gets validated in Service Provider?
The assertion takes place because of one important handshake that happens between SP and IDP during the setup process . SP will generate a metadata which has to be incorporated in IDP first and similarly idp metadata has to be referred from SP.Both the metadata url can be seen in SAML response . Without this handshake IDP will not be able to generate the SAML response properly and SP will not be able to authenticate the SAML token.
Service Provider will be processing the SAML token and then retrieve the UserID from the SAML response and provide the necessary authorizations.
SAML orchestration between browser , Service provider and Identity Provider
You must have observed during SAML Single SignOn , that the browser fickle several times before signing in the user . We will deep dive and see what happens behind the scene and how the browser is interacting between the service provider and identity provider .
This use case is made with the Hybris productcockpit as the service provider and Forgerock OpenAM as the IDP . I am not covering how it has been setup but most importantly the sequence of events that is happening behind .
- User tries accessing one of the product of Hybris which is acting as a Service Provider.
- No credentials found hence redirected to IDP login Screen .
- Provide the credentials and IDP sends a tokenId and creates a security context for the user .
- Use the token from browser to IDP and get the full login URL and also give a subsequent Get call to fetch the user information.
- On getting the complete user information , there is a SSO redirect to IDP for SAML assertion .
- IDP sends back the SAML response to browser which gets saved in cookie . This response is placed in auto submit form .
- The auto submit form post the SAML response to the SP and SP starts decoding the SAML response by decrypting the USerID and then provide corresponding authorization to the resource.
Hope this article helps in the understanding of SAML and how it works behind the scene. Please leave your comments for any queries .