Posted By
Gaurang Patel
on
19. September 2013 03:37
Every day, the average computer user signs on to half a dozen applications. These include email, instant messenger, intranet, and many other 3rd party applications. The time it takes to login to the applications every day adds up, not to mention the headache caused when the tipping point of login/password credentials memorization is reached. This is where Single Sign-On can make life easier – a convenient way to access all applications using only one login credential.
What is SAML?
SSO can be implemented in the intranet using various solutions, but there were no solutions available to implement SSO in web-based applications. This led to an XML-based open standard format called ‘Security Assertion Markup Language’ (SAML). SAML is a protocol used for exchanging authentication data between two parties. With the use of SAML, system administrators can engage 3rd party identity providers that can grant users to access to multiple systems and applications.
How Does SAML Work?
Typically, when a user tries to request a service from a service provider (an application or a relying party) through a user agent (usually a browser), the service provider requests to obtain an identity confirmation from the identity provider (a database that stores usernames/passwords). Upon confirmation from the identity provider, the service provider decides whether to proceed with the service requested by the user. But before giving the confirmation, the identity provider requests some information, like the username and password in order to authenticate the user.
This creates a problem when there are more than one service providers requesting identity confirmation from the identity provider. However, SAML has a way of solving this problem.
SAML allows web domains to securely exchange user authentication and authorization. Hence, one identity provider can provide identity confirmation to many service providers, and vis-à-vis, one service provider can trust confirmations from many identity providers. These confirmations exchanged between identity provider and service provider using SAML are called SAML assertions.
SharePoint SSO using ADFS with SAML
When working with SAML on SharePoint, Active Directory Federation Services (ADFS) acts as the identity provider and the SharePoint web application works as the service provider, as well as relying party since it depends on ADFS to do the authentication. SharePoint sends requests to ADFS for authentication, which requires a username and password. ADFS typically has user information, such as login ID, name, email address, department, and phone number. Once the user is authenticated, ADFS will send a SAML XML message back to the SharePoint web application.
Benefits of SSO using SAML
There are a number of benefits of using SSO with SAML:
- Time-Saving - the most obvious is the time saved not having to frequently login to multiple applications.
- Reduces Password Loss - It also reduces the chance of losing a password, so the IT help desk spends less time trying to recover lost passwords.
- Easy Access of Applications - Logins are easier to remember and more convenient. Users can effortlessly sweep through applications without spending time with required logins.
- User Experience - As long as proper security measures are implemented at various levels of applications, SSO can be convenient to users since they are not prompted for repeated authentications.
