A medium to large company uses 100s of different applications for it’s internal operations and resource planning and thanks to SaaS revolution that this proliferation of specialised cloud apps has only increased.
Now imagine if every employee in the company needed to have separate credentials to access all of those applications. It would be have been nothing short of a nightmare for the IT and security teams and also a extremely cumbersome for the employee to remember all of those different sets of usernames and passwords. But ofcourse there is a better way to manage identity for service providers when it comes to enterprise software.
It is called SSO or ‘Single Sign On’ which basically means that an employee needs to manage one single login to access 100s of applications that company uses. One of the popular XML based protocol which makes SSO possible is called SAML or Security Access Markup Language which transfers the authentication data along with other attributes to and from user, service provider and identity provider.
SSO increases security and is a far better user experience for the users by eliminating handling multiple of usernames and passwords to access apps.So as companies move all of their data and services to the cloud, SAML provides a secure method to implement federated SSO across all the touchpoints. SAML based SSO is highly secure as there is no exchange of private information between the user and the service provider as when user is trying to access a resource from SP, it redirects user to IdP for authentication.
The session created allows user to access all the applications he is authorised to for a limited amount of time without having to enter credentials every time and similarly when user logs out, he gets logged out from all the applications creating a frictionless and secure user experience.
The process goes something like this :
1. User tries to access a web application from a service provider
2. The SP creates a SAML based authentication request which is encoded into URL.
3. Application then redirects to user’s browser which has the generated SAML authentication request url and is submitted to SSO service
4. SAML request is decoded by IdP and user is authenticated
5. A SAML assertion is generated by IdP which has the user’s auth info and attributes
6. SAML response which is digitally signed by partner’s public and private DSA/RSA keys is passed to the browser which sends it to ACS url
7. Application fetches the auth info and attributes and logs in the user.
Number of specialised cloud based apps that a company uses are increasing every year and SSO solves the problem of managing user authentication identity and access across whole set of applications and services while providing a great user experience.