SAML Basics
Security Assertion Markup Language (SAML) is a standard for exchanging authentication information between identity and service providers. SAML authentication is a single sign-on mechanism where a centralized identity provider (IdP) performs user authentication, while the service provider (SP) only makes access control decisions based on the results of authentication.
The main benefits of using SAML authentication are as follows:
- Service providers don't need to maintain their own user databases. User information is stored in a centralized database on the identity provider side. If a user has to be added or removed, it only needs to be done in a single database.
- Service providers don't need to validate users themselves, so there's no need for a secure authentication and authorization implementation on the provider's side.
- Single sign-on means that a user has to log on once. All subsequent sign-ons (when a user launches a different application) are automatic.
- Users don't have to type in credentials when signing in.
- Users don't have to remember and renew password.
- No weak passwords.
The single sign-on process
SAML single sign-on can be initiated on the service provider side or on the identity provider side. The two scenarios are outlined below.
The rudimentary SAML single sign-on process initiated on the service provider side consists of the following steps:
- A user opens the RAS HTML5 client running on the service provider side and is asked to log in.
- The service provider sends a message to the identity provider, asking to authenticate the user.
- The identity provider asks the user for a username and a password.
- If the user credentials are correct, an authentication response (assertion) is sent to the client and then passed to the service provider. The response contains a message that the user has logged in successfully; the identity provider signs the assertion.
- The user is presented with the published applications list. When user launches an application, there's no prompt for credentials.
Single sign-on can also be initiated on the identity provider side, in which case the basic steps are the following:
- A user logs in to identity provider and is presented with a list of enterprise applications, including Parallels RAS.
- Once RAS is selected, the assertion is sent to the client, then passed to the service provider configured for that application.
- Users are presented with the RAS published applications list.
- When the user launches an application, there is no prompt for credentials.
|