Wednesday, March 19, 2014

Introduction to SAML

Recently, I have a chance to work on a SSO system using SAML standard. Here are some good resources to get started with SAML:

  • The SAML use case, SAML Web Browser SSO:  this is the workflow of authenticating a user via a SSO system using SAML data format.

  • Here is a visual explanation of SAML by Ping Identity:

  • This is another video about SAML by Paul Moore, Centrify CTO and co-founder:

  • And to differentiate between OpenID and SAML (from StackOverflow):

They are two different protocols of authentication and they differ at the technical level.

From a distance, differences start when users initiate the authentication. With OpenID, a user login is usually an HTTP address of the resource which is responsible for the authentication. On the other hand, SAML is based on an explicit trust between your site and the identity provider so it's rather uncommon to accept credentials from an unknown site.

OpenID identities are easy to get around the net. As a developer you could then just accept users coming from very different OpenID providers. On the other hand, a SAML provider usually has to be coded in advance and you federate your application with only selected identity providers. It is possible to narrow the list of accepted OpenID identity providers but I think this would be against the general OpenID concept.

With OpenID you accept identities coming from arbitrary servers. Someone claims to be How you are going to match this with a user in your database? Somehow, for example by storing this information with a new account and recognizing this when user visits your site again. Note that any other information about the user (including his name or email) cannot be trusted!

On the other hand, if there's an explicit trust between your application and the SAML Id Provider, you can get full information about the user including the name and email and this information can be trusted, just because of the trust relation. It means that you tend to believe that the Id Provider somehow validated all the information and you can trust it at the application level. If users come with SAML tokens issued by an unknown provider, your application just refuses the authentication.