What is SAML? A Comprehensive Guide with Examples

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

security assertion markup language or saml is an open standard for exchanging authentication and authorization data between two parties an identity provider and a service provider saml is family used to enable single sign-on which allows user to access multiple applications with a single set of login credentials in this video we will discuss the basics of single sign-on what is saml and how does it work the benefits of using saml common saml use cases and how it Compares with oauth 2.0 by the end of this video you will have a solid understanding of saml's capabilities and how integrating it can enhance both the security and user experience within your IIT framework so let's get started there was a time when the users had to create user accounts for every application and remember every login credentials that's why the idea of SSO or single sign-on became more popular in Enterprise ID single sign-on allows the user to sign on with one set of credentials and gain access to multiple applications and services SSO improves safety and offers clients with a better user experience by decreasing the number of necessary accounts or passwords and offering easier access to all the applications and services they need for example you log into Gmail you are automatically granted access to your accounts in Google owned applications like Google Drive YouTube and maps and there are different implementations of SSO but the general flow as well as the main players are almost the same saml open ID connect WS Federation are the common Open Standards for SSO let's define the primary elements in SSO before describing the overall flow of SSO a user is a person who wants to use the service from the service provider a service provider provides service to the users and gets authentication from the identity provider to Grant authorization to the user an identity provider is the one that provides the identity of the user who is trying to access the service provider and sends authentication data along with the user's access rights to the service open standard protocols for single sign-on Define how service providers and identity providers exchange identity information saml is an XML based framework for exchanging authentication and authorization data between two parties in simple terms it allows different organizations and systems to trust each other's identities without exposing sensitive information imagine you are trying to access multiple web applications from different providers you wouldn't want to remember separate username and passwords for each one right that is where saml comes in offering single sign-on or SSO it allows you to authenticate once with your identity provider and then access multiple Services seamlessly let's break down the key components of Summer identity provider is where your identity is established and authenticated it is a service that stores and manages digital identities idps provide a way of your users to authenticate their identities and access protected resources without having to create and manage multiple accounts with each service they use Google and Google workspace are both identity providers that can be used to implement single sign-on Google is primarily a consumer Focus IDP while Google workspace is a business focused IDP this means that Google is designed to be used by individuals while Google workspace is designed to be used by organizations some other examples of popular idps include Microsoft OCTA or author service providers are the applications or Services you want to access they rely on the identity provider for user authentication a saml enabled service provider is a service provider that supports the saml protocol for single sign-on this means that users can log into the service provider using their credentials from a trusted identity providers without having to create a separate account for the service provider some of the popular examples of saml enabled service providers include Salesforce Google workspace Microsoft 365 and Octor and if you are considering implementing single sign-on for your organization should make sure that the service providers that you want to support are saml enabled this will ensure that you can provide a seamless and secure SSO experience for your users and finally a saml assertion is an XML document that is exchanged between an identity provider and a service provider to convey information about users identity and authorization status saml assertions are used to implement single sign-on which allows user to access multiple application with a single set of login credentials Samuel assertions contain a variety of information about the user including the user's identity such as name and email address the user's authorization levels such as roles or permissions the times assertion was issued the time the assertion is expiring a signature from the IDP that verifies the authenticity of the assertion and Samuel assertions are typically signed by the IDP using digital signature certificate this ensures that the assertion cannot be tampered within Transit here is how Samuel Works in practice the user items to access saml enabled service provider the service provider redirects the user to the identity provider the user authenticates with the identity provider the identity provider redirects the user back to the service provider with a sample assertion which contains your identity information the service provider then validates the saml assertion and grants the user access to the requested resource now some of the terminology used in saml sounds similar to oauth and you might wonder how does saml differ from oauth now I have covered what in detail in my previous video describing all the use cases and various types of oauth flows while both saml and oauth serve authentication and authorization purposes oauth is mainly focused on authorization for third party access while saml specializes in identity and single sign-on or allows third-party applications to access a user's data or perform actions on their behalf without exposing the user's credentials such as username or password for example when you use your Facebook account to log into third-party app you are granting the app permission to access certain data or perform actions on your Facebook account such as posting on your behalf or when you use or 2.0 to authorize a mobile app to access your Google drive files it's an authorization process where you are allowing the app access to specific resources without revealing your Google credentials Samuel on the other hand specializes in identity and single sign-on it focuses on the exchange of authentication and authorization data between parties to establish and verify your user's identity for example in a corporate environment saml can be used to implement single sign-on when you log in once to your corporate Network you gain access to various services like email internet applications and Cloud resources without having to login separately for each Samuel asserts your identity to these services or 2.0 can also be used for authentication but it's not its primary purpose some extension and profiles of oauth like open ID connect have been developed to add authentication capabilities to oauth however what alone doesn't inherently guarantee strong identity verification what is well suited for scenarios where third party applications need limited access to users data without having full control over the user's identity in fact or 2.0 with JWT has gained significant adoption in modern microservices architecture in a microservices architecture one service may need to access another service API and or 2.0 can be used to authenticate and authorize the service to service interactions while it's possible to use saml for service to service authentication and authorization in a micro Services architecture it's not the most common or typical choice for several reasons Samuel uses XML Forest assertions whereas modern microservices architecture often prefer Json for its Simplicity and efficiency or 2.0 when used with Json web tokens aligns better with the json-based communication that is prevalent in microservices environments moreover family's robust protocol designed for various scenarios including single sign-on and identity Federation which can make it complex to implement for simple service to service authentication and authorization within a single organization now saml is favored in scenarios we have strong identity Federation and SSO are critical this includes government institutions Healthcare organizations or Enterprises government agencies often require robust identity verification for access to sensitive systems making saml a good fit Healthcare Providers handle sensitive patient data and saml helps to ensure that only authorized Personnel can access this information xaml enables employees to access various applications and services within an organization without repeated logins enhancing productivity and security while oauth can be extended for authentication by using open ID connect saml excels in scenarios that require strong identity Assurance which is why government institutions and Healthcare organizations often prefer it saml promotes secure authentication and data exchange between parties individual users enjoy a seamless experience with single sign-on and different organizations or systems can trust each other's identities without sharing password stay secure and see you in the next video [Music] thank you

Info

Channel: ByteMonk

Views: 10,400

Rating: undefined out of 5

Keywords: system design, interview question, faang, technology, system design tutorial, system design interview questions, system design interview, oauth 2.0, security, jwt, idp, saml

Id: 4ULlJEupV-I

Channel Id: undefined

Length: 9min 51sec (591 seconds)

Published: Fri Sep 22 2023