You might have seen lot of web sites / services you access requesting you to login with an login page that you have used before.
To understand SAML, you might need to understand the following terms.
Identity Provider (IP): The company / enterprise holding the user credentials.
Service provder (SP): The company providing the service - say salesforce.
User: the person going to use the service.
Traditionally the credentials are maintained by Identity provider, but the credentials are also maintained in the Service provider so that whenever the user tries to access the SP he is authenticated within the service provider itself.
You might have seen in some sites where they ask you to register with a username and password to access the service.
Now the problems of using this approach is:
- the service provider have to maintain the user credentials even though the user credentials are in the Identity provider.
- the user has to remember different user credientials for the IP and the SPs.
- The identity provider has to follow a cumbersome process of disconnecting the access to the SPs whenever the user goes out of the company or his roles changed.
How its solved.
Typically, the user requests access to the Service (SP), the SP redirects him to the Identity provider (IP), the user gets his userid and password validated from the Identity provider.
The Identity provider provides a token (a file which contains user information - but not password) to the service provider.
The service provider now knows that its a valid user and allows him to access the service.
Now using this approach, the SP dont have to maintain password, the user has to remember only one password, and its easy for IP to manage user information and he has control over the services.
Now what is SAML:
SAML is the token we talked about. Its the XML based data format for exchanging user information between the Identity provider and the service provider.
When the user is authenticated by the IP, the user can then access the services with the token provided by the IP.
How long can the user access the service with the token provided by IP, what if the user goes out of the company.
The token issued by the IP also has the expiry time. Whenever the SP receives the token, it is valid only till the time, after that the service provider redirects back to the identity provider. The user has to get another token with a revised expiry time on the token.
What does SAML describe:
- describe the structure of the data.
- explains how the data should get transported between the IP and SP
How does communication happens between the IP and the SP:
In the above picture you can see the sequence flow how the user is authenticated and he is allowed to access the resource in SP.
To understand SAML, you might need to understand the following terms.
Identity Provider (IP): The company / enterprise holding the user credentials.
Service provder (SP): The company providing the service - say salesforce.
User: the person going to use the service.
Traditionally the credentials are maintained by Identity provider, but the credentials are also maintained in the Service provider so that whenever the user tries to access the SP he is authenticated within the service provider itself.
You might have seen in some sites where they ask you to register with a username and password to access the service.
Now the problems of using this approach is:
- the service provider have to maintain the user credentials even though the user credentials are in the Identity provider.
- the user has to remember different user credientials for the IP and the SPs.
- The identity provider has to follow a cumbersome process of disconnecting the access to the SPs whenever the user goes out of the company or his roles changed.
How its solved.
Typically, the user requests access to the Service (SP), the SP redirects him to the Identity provider (IP), the user gets his userid and password validated from the Identity provider.
The Identity provider provides a token (a file which contains user information - but not password) to the service provider.
The service provider now knows that its a valid user and allows him to access the service.
Now using this approach, the SP dont have to maintain password, the user has to remember only one password, and its easy for IP to manage user information and he has control over the services.
Now what is SAML:
SAML is the token we talked about. Its the XML based data format for exchanging user information between the Identity provider and the service provider.
When the user is authenticated by the IP, the user can then access the services with the token provided by the IP.
How long can the user access the service with the token provided by IP, what if the user goes out of the company.
The token issued by the IP also has the expiry time. Whenever the SP receives the token, it is valid only till the time, after that the service provider redirects back to the identity provider. The user has to get another token with a revised expiry time on the token.
What does SAML describe:
- describe the structure of the data.
- explains how the data should get transported between the IP and SP
How does communication happens between the IP and the SP:
In the above picture you can see the sequence flow how the user is authenticated and he is allowed to access the resource in SP.
