From CRMs for salespeople to invoice systems for accountants, the proliferation of SaaS web apps has made life easier for many employees. However, even the adoption of the most productivity-enhancing apps can lead to unintended inefficiencies and risks. These can range from frequent “I forgot my password” calls that inundate the IT department to increased risk of data breaches. These are the types of problems that Security Assertion Markup Language, or SAML, solves by enabling users to access multiple external applications using their credentials from Active Directory.
What is SAML and how does it work?
SAML is an open standard that enables the secure communication of identities between organizations through authentication and authorization functions. It is most often used to gain single sign-on functionality between an Identity Provider (IDP) and a Service Provider (SP). When an IDP, such as an employer, and a SP, such as a SaaS company, both implement SAML, they are able to seamlessly authenticate accredited users associated with the IDP to use the SP.
First, a user attempts to access the SP, either via a URL or a portal link. Next, federated identity software at the IDP activates and confirms the user’s identity. The IDP notifies the federated identity software running at the SP of the authentication. The tokenized message includes any necessary user details, such as permissions and groups. The federated identity software at the SP then determines that the message is coming from a trusted IDP and then creates a session for the user in the app.
Why use SAML?
SAML has many benefits for both the IDP, the individual user, and SPs.
For IDPs, implementing SAML saves administrative time since it eliminates the need for things like password resets. SAML also increases security, by maintaining control over authentication and access at the centralized IDP. Further, it eliminates the development costs associated with proprietary single sign-on (SSO) methods. As employees increasingly use multiple SaaS apps, this can create headaches for the IT department when employees leave the company or migrate to another role and their account access needs to be changed or eliminated. With SAML, each user can be managed with a single, in-house credential. SAML also reduces security risks by decreasing opportunities for phishing and identity theft.
For employees, the experience accessing external SPs is seamless. When logged in via single sign-on, the end user can access the various apps they require without having to deal with a unique log-in at each SP.
Finally, for SPs, SAML increases their usage by decreasing barriers to entry. Frustrated employees that have difficulty logging on to various apps are prone to circumventing them in their workflows. SAML also decreases security risks for SPs since they don’t have to store log-in credentials for individual users, making large-scale data breaches (where sensitive user data is leaked) much less of a risk.
The one downside with SAML, is that many access management and federation products make configuring SAML a complex task. Each SAML integration could require system integration work that could take weeks or months depending on the complexity or the uniqueness of the SPs SAML requirements. However, more modern access management products have streamlined SAML configuration, and even pre-integrated hundreds of applications out-of-the box. With a simple setup wizard approach, and integrations that are kept up to date, SAML can be easy to implement and reliable. For busy IT departments, that means more time focusing on your core responsibilities, finding new opportunities for efficiency, and scaling as the company grows without drowning in support requests.
Where to Begin
Getting started is simple. Okta provides an SAML validation tool, and there are also many OpenSource SAML toolkits available for SPs in different programming languages. Or if you’re looking for even more support across departments—and for security that scales—you can try our full solution for free for 30 days.