SAML-enabled Enterprises Increase Network Security with SSO
SAML helps organizations implement single-sign-on. End-users need a single username and password for system access. SAML simplifies management of network security
One of the first things most of us do when we arrive at work is sign-on to the corporate network. On the rare occasion that we have to sign on to a specific application, we’re irritated. Why is the separate sign-on necessary? The simple answer is SAML.
What is SAML?
SAML stands for Security Assertion Markup Language. It is an open standard for sharing information across an enterprise for authentication and authorization of the end-user. It’s what lets you sign on once to access multiple applications. For SAML to work, all applications must communicate using the SAML specification. If an application cannot support SAML, the end-user will have to sign on separately.
How Does SAML Work?
A single-sign-on (SSO) environment has an identity provider where the user’s identity information is stored. When the end-user wants to use an application in the SSO environment, the application or service provider makes a request to the identity provider. The identity provider authenticates the end user’s identity and responds to the service provider’s request. The end-user is either granted or denied access.
A simplified SAML process for an end-user named Joel might flow like this:
- Joel tries to sign on to his work computer. His sign on initiates a request to the company’s identity or SSO provider, asking for authentication.
- The SSO provider authenticates Joel’s identity and grants him access to the network.
- Joel launches his email program. His request initiates an exchange with the email application referred to as a service provider.
- The service provider is configured to authenticate using SSO, so the application asks the identity provider for authentication of Joel.
- The identity provider responds to the service provider with a digitally signed response that identifies Joel.
- The SAML-formatted response either authenticates and authorizes Joel for the email application or denies access.
- The service provider validates the identity provider’s response and either grants or denies access to the email application.
- Joel accesses his email via the service provider’s application, based on the identity provider’s response.
All requests and responses must conform to the SAML protocols for exchanging information.
Why Use SAML?
SAML centralizes the authorization process. It also externalizes authentication to a separate identity provider. The configuration provides several benefits for both the end-user and the organization.
- SAML provides a standard for deploying internet-based single sign-on.
- SAML raises security access to the highest level. An identity provider can enforce a high level of authentication, such as Two-Factor Authentication, even if the individual applications do not support a high degree of authentication.
- SAML simplifies the sign-on process for the end-user, who only has to remember a single user name and password.
- SAML offers a single point for deactivation by centralizing access rights.
- SAML enables the identity provider to audit access across SAML-enabled applications.
With a SAML-enabled enterprise, administration and monitoring of user access are reduced. Using an identity provider with a higher level of authentication than other applications within the network increases security. Allowing end-users to sign-on with a single username and password minimizes the number of times individuals require assistance because of forgotten passwords or usernames. The ability to control user access from a single point enables an organization to de-activate end-users quickly.