Cyber Security Exam Prep : Identity and Access Management – Security Assertion Markup Language (SAML)

Brian Hughes

SAML: Key points to remember for exam

  1. SAML, short for Security Assertion Markup Language is a widely-used open-source standard for implementing the Single Sign-On.
  2. SAML is used for identity federation purposes by communicating identities between organizations and thus eliminates the need to maintain multiple authentication credentials for each application.
  3. SAML architecture comprises of 3 major actors, namely User Agent or Principal, Identity Provider (IdP) and Service Provider (SP)
  4. It is based on the industry-standard XML communication language which is used for creating, requesting, and exchanging security assertions between Identity Provider (IdP) and Service Provider (SP).
  5. SAML can be implemented to achieve user authentication as well as user authorization by exchange security assertions between the Identity Provider (IdP) and Service Provider (SP).
  6. The access control decision to a particular service by the service provider is on the basis of Security assertions. The service provider requests and obtains an authentication assertion from the identity provider. 
  7. In SAML, there lies a one to many relationship between IdP and SP. That is, one identity provider may provide SAML assertions to many service providers. Similarly, one SP may rely on and trust assertions from many independent IdPs.
  8. SAML 1.1 does not have encryption capabilities. SAML 2.0 provides elements for encrypted name identifiers, encrypted attributes, and encrypted assertions using XML Encryption.

The benefits of SAML:

From a user perspective, it also helps to minimize the number of login attempts by a user in different platforms by reusing the same set of credentials. This also enhances the ease-of-use factor as the user no longer needs to maintain different credentials for different platforms.

From a management perspective, it eliminates the administration overheads by reducing the cost of maintenance of different credential sets that may be required otherwise.

A common use case scenario, is an organization taking corporate training services from an e-learning platform. The use of SAML here allows the user to simply access the external training portal using the same organization credentials that would otherwise be needed to login to the organization assets. User once logged in to his company network will redirected transparently without any additional authorization.

SAML works with assertions that contains a packet of security information. Assertions contain statements that service providers use to make access-control decisions. It specifies the assertions between the three parties: in particular, the messages that assert identity that are passed from the IdP to the SP.

One identity provider may provide SAML assertions to many service providers. Similarly, one SP may rely on and trust assertions from many independent IdPs.

Three types of statements are provided by SAML:

SAML assertions are used for communication between the identity provider and service provider. The Assertion statements contain information that allows a service provider to make access-control decisions before granting access to any services.

<saml:Assertion ...>
   ..
 </saml:Assertion>

(Source: Wikipedia)

Three types of statements are provided by SAML:

  • Authentication statements: provide confirmation to the service provider that the user agent has validated his identity with the identity provider. If authentication succeeds, an SAML Authentication statement is returned and used for further communication.
  • Attribute statements: The user agent is associated with the supplied attributes (Key-value pair)
  • Authorization decision statements: identifies what the user is entitled to do (for example, whether he is permitted to buy a specified item).

The SAML specification defines three roles:

  1. The user agent, which is typically the user looking to verify his or her identity
  2. The identity provider (IdP), which maintains directory of users and is capable of verifying the identity of the end user. A directory service such as RADIUS, or Active Directory that allows users to log in with a user name and password is a typical source of authentication tokens at an identity provider.
  3. The service provider (SP), which is the entity looking to use the identity provider to verify the identity of the end user

The figure below illustrates how the SAML communication happens between the three different roles specified above.

(Source: Wikipedia)

Sample Questions?

  1. Which of the following is an XML-based format for exchanging authentication and authorization data  between an identity provider and a service provider?
    • LDAP
    • Kerberos
    • SAML
    • OAuth
  2. You are the network technology expert in you organization and have been asked to recommend a solution to access services from external providers in an integrated manner without the need for additional credential sets. Which of the following technology would you suggest?
    • Radius
    • SAML
    • RBAC
    • TACACS

Related posts

Leave a Comment