Improved user experience: Users only need to login one time to access multiplier service providers. This allows for a more efficient authentication process and less expectation from the user to remember multiple login credentials for every application.
Increased security: SAML provides a single point of authentication that happens at a secure identity provider. SAML then transfers the identity information to the service providers. This type of authentication ensures that credentials are only sent to the IdP directly.
Loose Coupling of Directories: SAML authentication doesn’t require user information to be maintained and synchronized between directories.
Reduced Costs for Service Providers: With SAML authentication, a user does not have to maintain account information across multiple services. The identity provider bears this burden.
A typical SAML authentication process involves these three attributes:
Principal/Subject: Almost always the human user that has access to the cloud hosted application.
Identity Provider: A software service that stores and confirms user identity, usually through a login process. An IdP’s role is to say, “I recognize this person, and this is what they’re allowed to do.” A SSO system may be separate from the IdP, but in that case the SSO basically acts as a representative for the IdP.
Service Provider: This is the application or service the user wants to use. Common examples of cloud services are email platforms such as Gmail and Microsoft Office 365, cloud storage services such as Google Drive and AWS S3, and communication apps such as Slack and Skype. Normally, a user would login to these services individually and directly, but when SSO and SAML is used, they will have access to all apps instead of a direct login.
This is what a typical SAML flow might look like:
If the principal (user) is not already logged in, the identity provider may prompt the user to login before sending a SAML assertion.
Single sign-on (SSO) is a way for users to be authenticated for multiple applications and services at once without having to login directly. When a user signs in with SSO, they can use a number of apps. Users do not need to confirm their identity with every single service they use.
For SSO to work, the system must communicate with every external application to tell them that the user is signed in, which is where SAML authentication comes into play.
A SAML assertion tells a service provider that a user is signed in. SAML assertions are messages that contain all the information necessary for a service provider to confirm user identity, which includes the source of the assertion, the time it was issued, and the conditions that make the assertion valid.