How does SAML work?
In the past when you had several applications to log into, you had to remember a username and password for each application. This could prove quite challenging to remember or store all these authentication methods and made it quite tough on clients and the application service providers to manage their databases.
SAML was then introduced to manage all these applications for user authentications. In SAML you have 3 main components:
- The User -
This is almost always a human user who is trying to access a cloud-hosted application.
- The Identity Provider -
An identity provider (IdP) is a cloud software service that stores and confirms user identity, typically through a login process. Essentially, an IdP's role is to say, "I know this person, and here is what they are allowed to do." An SSO system may in fact be separate from the IdP, but in those cases the SSO essentially acts as a representative for the IdP, so for all intents and purposes they are the same in a SAML workflow.
- The Service Provider -
This is the cloud-hosted application or service the user wants to use. Common examples include cloud email platforms such as Gmail and Microsoft Office 365, cloud storage services such as Google Drive and AWS S3, and communications apps such as Slack and Skype. Ordinarily, a user would just log in to these services directly, but when SSO is used, the user logs into the SSO instead, and SAML is used to give them access instead of a direct login..
This is typically how SAML works.
- The user requests access to Zailab (The Service Provider)
- The service provider checks to see if this user is authenticated to use the services and if not then sends the user to the Identity Provider.
- The Identity provider then authenticates the user with the active directory for example, if this user exists. This authentication could be username and password or multi-factor authentication.
- Once the Identity provider has authenticated the user it creates an assertion which is normally an XML file with all sorts of details for the user and sends it to the service provider.
- Should the user want to use another service provider, then the Identity provider would already have the user's information and grant the user access.