Cradicle Explorer
CyberSec
/ Foundations / Core Concepts / SAML.md
SAML.md
 1  ## Description
 2  
 3  Security Assertion Markup Language (SAML) is an open standard used for exchanging authentication and authorization data between parties, particularly between an identity provider (IdP) and a service provider (SP). It is primarily used to enable Single Sign-On (SSO) capabilities, allowing users to authenticate once and gain access to multiple applications without needing to log in again.
 4  
 5  ## Key Components of SAML
 6  
 7  1. **SAML Assertions**: These are XML documents that contain statements about a user's identity and authentication status. There are three types of assertions:
 8     - **Authentication Assertion**: Confirms that a user has been authenticated, including the time and method of authentication.
 9     - **Attribute Assertion**: Provides additional information about the user, such as their roles or other attributes.
10     - **Authorization Decision Assertion**: Indicates whether a user is permitted to access a specific resource.
11  
12  2. **SAML Protocols**: These define how SAML messages are requested and transmitted. Key protocols include:
13     - **Authentication Request Protocol**: Used by SPs to request authentication assertions from IdPs.
14     - **Single Logout Protocol**: Allows users to log out from all services simultaneously.
15     - **Assertion Query and Request Protocol**: Enables requests for specific assertions.
16  
17  3. **SAML Bindings**: These specify how SAML messages are transported over various protocols, such as HTTP or SOAP. Common bindings include:
18     - **HTTP Redirect Binding**: For sending SAML messages via HTTP redirects.
19     - **HTTP POST Binding**: For sending assertions through HTML forms.
20  
21  4. **Profiles**: SAML profiles define how assertions, protocols, and bindings work together for specific use cases, ensuring interoperability across different implementations.
22  
23  ## How SAML Works
24  
25  When a user attempts to access a service provider, the following steps typically occur:
26  
27  1. The service provider sends an authentication request to the identity provider.
28  2. The identity provider authenticates the user (e.g., via username and password).
29  3. Upon successful authentication, the IdP generates a SAML assertion and sends it back to the SP.
30  4. The service provider uses the assertion to grant access to the user.
31  
32  This process allows for seamless access across multiple services with a single login, enhancing user experience while maintaining security standards.
33  
34  ## Benefits of SAML
35  
36  - **Improved User Experience**: Users can log in once and access multiple applications without repeated logins.
37  - **Centralized Authentication Management**: Reduces administrative overhead by centralizing user credentials at the IdP.
38  - **Enhanced Security**: Reduces the risk of credential theft by minimizing the number of times credentials are transmitted across networks.
39  - **Interoperability**: As an open standard, SAML facilitates integration between different systems and platforms.
40  
41  SAML is widely used in enterprise environments for federated identity management, particularly in scenarios involving cloud services and B2B applications