SAML helps organizations implement single-sign-on. End-users need a single username and password for system access. SAML simplifies management of network security
One of the first things most of us do when we arrive at work is sign-on to the corporate network. On the rare occasion that we have to sign on to a specific application, we’re irritated. Why is the separate sign-on necessary? The simple answer is SAML.
SAML stands for Security Assertion Markup Language. It is an open standard for sharing information across an enterprise for authentication and authorization of the end-user. It’s what lets you sign on once to access multiple applications. For SAML to work, all applications must communicate using the SAML specification. If an application cannot support SAML, the end-user will have to sign on separately.
A single-sign-on (SSO) environment has an identity provider where the user’s identity information is stored. When the end-user wants to use an application in the SSO environment, the application or service provider makes a request to the identity provider. The identity provider authenticates the end user’s identity and responds to the service provider’s request. The end-user is either granted or denied access.
A simplified SAML process for an end-user named Joel might flow like this:
All requests and responses must conform to the SAML protocols for exchanging information.
SAML centralizes the authorization process. It also externalizes authentication to a separate identity provider. The configuration provides several benefits for both the end-user and the organization.
With a SAML-enabled enterprise, administration and monitoring of user access are reduced. Using an identity provider with a higher level of authentication than other applications within the network increases security. Allowing end-users to sign-on with a single username and password minimizes the number of times individuals require assistance because of forgotten passwords or usernames. The ability to control user access from a single point enables an organization to de-activate end-users quickly.