Code360 powered by Coding Ninjas X Naukri.com. Code360 powered by Coding Ninjas X Naukri.com
Table of contents
1.
Introduction
2.
Why SAML?
3.
Single Sign-On (SSO)
4.
SAML Working
5.
SAML Assertion
6.
SAML Assertion Types:
7.
SAML vs. OAuth
8.
Example
9.
Frequently Asked Questions
10.
Conclusion
Last Updated: Mar 27, 2024
Easy

AWS SAML

Master Python: Predicting weather forecasts
Speaker
Ashwin Goyal
Product Manager @

Introduction

SAML stands for Security Assertion Markup Language, and it is a format for expressing security claims. Users must normally enter a username and password to log in to any software. SSO is one method for accomplishing this (SSO).  
The Security Assertion Markup Language (SAML) is an XML-based framework that allows identity providers to issue authorization credentials to service providers. SAML is a standardized technique to verify that a user is who they say they are to external apps and services. SAML enables single sign-on (SSO) by allowing a user to be authenticated once and then have that authentication communicated to various apps. SAML 2.0 is the most recent version of SAML. 
Consider SAML authentication to be similar to an identification card: a quick, standardized way to prove who you are. Instead of running a battery of DNA testing to verify someone's identification, you might simply look at their ID card. 
One of the biggest issues in computing and networking is getting systems and devices created by different suppliers for various purposes to function together. This is referred to as "interoperability": the ability of multiple machines to interact with one another despite differences in technical specifications. SAML is an open standard that is commonly used to convey a user's identity to cloud service providers.

Why SAML?

Both the service provider and the identity provider operate independently under SAML, but it centralizes user administration and gives access to SaaS solutions. SAML authentication is mostly used to validate a user's credentials from an identity provider.

Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job
Bootcamp

Single Sign-On (SSO)

SSO allows users to be authenticated for numerous apps and services at the same time. SSO allows a user to sign in once and then utilize several apps by signing in at a single login screen. Users are not required to authenticate their identity with each and every service they use. 
To do this, the SSO system needs to connect with each external app to inform them that the user has signed in - here is where SAML comes into play.

SAML Working

A typical SSO authentication process involves these three parties:

  • Principal (also known as the "subject")
  • Identity provider
  • Service provider

Principal/subject: Almost always, this is a human user attempting to access a cloud-hosted application.

Identity provider (IdP): An identity provider (IdP) is a cloud software service that stores and validates user identity, typically via a login process. Essentially, an IdP's function is to declare, "I know this person, and here is what they are permitted to do." An SSO system may in reality be independent of the IdP, but in those circumstances, the SSO simply functions as a representation for the IdP, thus for all intents and purposes they are the same in a SAML workflow.

Service provider: This is the cloud-hosted application or service that the user wishes to use. Cloud email systems such as Gmail and Microsoft Office 365 are common examples, as are cloud storage services such as Google Drive and AWS S3, and messaging tools such as Slack and Skype. Normally, a user would just log in to these services directly, but when SSO is utilized, the user logs into the SSO instead, and SAML is used to provide them access instead of a direct login.

Figure 1 - Working of SAML

The principal approach the service provider with a request. After that, the service provider seeks authentication from the identity provider. The identity provider transmits a SAML assertion to the service provider, which can then respond to the principal.

If the principal (the user) was not already logged in, the identity provider may prompt them to log in before sending a SAML assertion.

SAML Assertion

A SAML Assertion is an XML document that the identity provider sends to the service provider to give user permission. 
Consider the contents of a job applicant reference: the person providing the reference specifies when and for how long they worked with the candidate, their role, and their opinion on the candidate. A company can hire based on this reference, much as a SaaS program or cloud service might allow or deny user access based on a SAML assertion.

SAML Assertion Types:

  • Authentication
    • It establishes the user's identity.
    • It displays the time the user logged in.
    • It also specifies which authentication technique was utilized.
  • Attribute
    • An attribute assertion is used to communicate the SAML attributes to the service provider, where each attribute holds information about the user authentication.
  • Authorization decision
    • A decision on permission decides whether the user is permitted to access the service or if the identity provider refused the request due to a password failure.

SAML vs. OAuth

OAuth is a relatively newer standard that was co-created by Google and Twitter to allow for more efficient online logins. To communicate login information, OAuth employs an approach similar to that of SAML. SAML gives organizations more control over their SSO logins, but OAuth is superior on mobile and leverages JSON. Facebook and Google are two OAuth providers that you may utilize to sign in to other websites.

Example

  1. Alex logs into SSO first thing in the morning.
  2. Alex then tries to access his CRM's webpage.
  3. The CRM – the service provider – validates Alex’s credentials with the identity provider.
  4. The identity provider returns authorization and authentication messages to the service provider, allowing Alex to access the CRM.
  5. Alex can utilize CRM to complete tasks.
     

Salesforce, Gmail, Box, and Expensify are all instances of service providers to which an employee would have access after logging in with SAML.

Frequently Asked Questions

  1. What is the most recent version of SAML?
    SAML 2.0 is the most recent version of SAML.
  2. What is Single Sign-On(SSO)?
    SSO allows a user to sign in once and then utilize several apps by signing in at a single login screen. 
  3. Which type of document is SAML?
    A SAML Assertion is an XML document.
  4. What does SAML stand for?
    Security Assertion Markup Language.
  5. What is the role of the Identity Provider(IdP)?
    The role of an identity provider (IdP) is user identity validation.

Conclusion

In this article, we had a look at AWS SAML and its working and usage. We also learned how it simplifies the authentication process. If you are preparing for interviews and don't know where to start, we have got you covered, Check out our Data Structures and Algorithms course on Coding Ninjas website We hope that this blog has helped you enhance your knowledge regarding AWS SAML and if you would like to learn more, check out our articles on Coding Ninjas Studio.  Do upvote our blog to help other ninjas grow. Happy Coding!

Previous article
Global Infrastructure concept in AWS
Next article
AWS NAT Gateways
Live masterclass