Menu
After reading some articles and references, I found that they practically illustrate what is SAML, what components it contains, how it works. Some good links as follows:
I, however, still feel confused about it: why say it is secure? In my view, in short, SAML is just a "formated" XML representation. It is a language or mechanism for the exchanging the figures on the information high way. I cannot find that it is secure, it just provide a negotiation or standard way for exchanging information only. I don't know whether my understanding is correct or not. Why SAML contains "security" still confuse me.
679
Increased Security — SAML provides a single point of authentication, which happens at a secure identity provider. Then, SAML transfers the identity information to the service providers. This form of authentication ensures that credentials are only sent to the IdP directly.
SAML implements a secure method of passing user authentications and authorizations between the identity provider and service providers. When a user logs into a SAML enabled application, the service provider requests authorization from the appropriate identity provider.
SAML is primarily used to enable web browser single sign-on (SSO). The user experience objective for SSO is to allow a user to authenticate once and gain access to separately secured systems without resubmitting credentials.
It is required before authorization, which is the process of determining whether the authenticated identity has permission to use a resource. SAML authentication depends on verifying user credentials, which, at a minimum, include user identity and password. SAML can also enable support for multifactor authentication.
I think the piece that you are missing after all that reading is how SAML requires the use of the XML DSIG and XML ENC specs to ensure message integrity and confidentiality. While standardized message formats and common name identifiers make sharing identity information much easier between parties, it is these two security components (when implemented properly) that allow SAML to be confidently adopted by Enterprises, Governments and Cloud Service Providers to exchange identity information.
HTH - Ian
131
To make it secure we can digitaly sign the response with our private key and share the certificate with the Service provider.In this way it can provide the security against fake IdP and "Man in the middle" attack (MITM).
Apart from that it is always recommended to have this transaction to be HTTP over SSL.
And last but not the least you can also use persistent/transient pseudonyms to exchange informaton between IdP and SP.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
