SAML

SAML (Security Assertion Markup Language)

• Centralize user management and provides access to SaaS solutions.

Identity - Stored in LDAP DB or Microsoft AD

Authentication: SAML IDP /  ADFS

Authorization: Application controls it , can use LDAP group

Entities : 

• SAML Service Provider (example: Application like Pega)
• SAML Identity Provider (example : ADFS) 

User Agent (Browser) : Critical in this flow as it has to be there for redirect.

Setting up trust between SP and IDP:

SAML response is encrypted and is also signed by IDP. In order to decrypt and recognize signature, the SAML Service Provider needs the certificate of SAML IDP.  Same way the SAML IDP needs the certificate of SAML SP. This is what is called as trust.

SAML IDP and SAML SP needs to know each others information, which requires exchange of SAML metadata. SAML metadata is an xml file containing the certificates that needs to be exchanged.

SAML response contains the SAML token and token contains the claims. Claims are attributes of user like first name, last name, email, groups. SAML claims and SAML token are encrypted for security reasons.

What is SAML assertion?

It is an XML document that the IDP sends to SP containing the user authorization status.

Process Flow:

1. User tries to login to application URL in browser.

2. Application generates SAML request.

3. Application redirects (http redirect) request to Browser. Browser redirects request to IDP SSO url.

4. IDP parses SAML request and authenticates user.

5. IDP generates SAML  response and sends encodes response to Browser.

6. Browser redirects SAML response to ACS URL of application SP.

7. Assertion Consumer Service verifies SAML response.

8. User is logged into application.