How SAML is used for Single Sign-On (SSO)

Within SAML, there are profiles that define how assertions, protocols and bindings are combined to satisfy a particular use case. Think of a SAML profile as a template, each profile uses different combination of bindings, protocols and assertions. One of the most used SAML profiles is the Web Browser SSO Profile. 

The SAML Web SSO Profile provides the ability for users to access multiple applications with a single set of credentials entered once. This is the foundation of federation and also of single sign-on (SSO). Using SAML, users can seamlessly access multiple applications, allowing them to conduct business faster and more efficiently.

You may not have realized this, but you use SAML SSO every day. Whether it’s logging into your bank online, using a mobile application, or pretty much anywhere you are signing into a website and accessing the information therein. For the purposes of explaining how SSO works, let’s use online banking as our use case. When a bank customer logs in to their bank account via the bank’s website they may need to access a variety of applications from their checking and savings accounts to their credit card balance. Each of their accounts types (savings, checking, credit, brokerage, business) are often provided by different back-end applications. These applications need to be able to communicate with each other using a common authentication scheme to provide a seamless user experience that enables one login to provide access to all the parts of the online banking web portal. SAML provides the means to accomplish this.

[promobox]

White Paper

How to Implement Enterprise SAML SSO

Download

[/promobox]

Let’s look closer at the sequence of steps to generate a SAML token, and then use it to gain access to an application or resource. The figure below shows the basic steps necessary for SSO using SAML.

SAML-Diagram-SSO

  1. User authenticates to identity provider using a single-factor, or multi-factor authentication.
  2. The Identity Provider issues a SAML token to the User with assertions about the User’s identity. In Mobile devices, and web browsers, the SAML is often issued as embedded BASE64 within the HTML response.
  3. The User’s browser is redirected from the Identity Provider to the location of the Service Provider. The User’s browser then issues a request to the Service Provider with the SAML token embedded. The Service Provider then inspects the SAML token and its contents to determine validity based on the trust relationship with the Identity Provider. The Service Provider then provides access to the various online banking applications based on the SAML assertion statements included in the token.

SAML SSO provides a seamless experience for the user to access multiple applications without the user or client technology requiring any changes to support the SAML exchange.

To learn more about SAML SSO, download our latest white paper: How to Implement Enterprise SAML SSO