PODCAST: Simple Assertion Markup Language (SAML) 101
You are literally racking your brain to remember the newest combination of capital letters, symbols and numbers that you just scrambled together…two days ago. This marks your fifth login attempt to access your online bank account – which means you only get one more try before your account is locked and then you have to spend 10-15 minutes of your time either calling the 1-800 number or taking a series of steps to reset it.
Whether it’s the end user or a business, the password struggle is real.
In this podcast, A2U marketing and communications intern, Sophia Esposito, talks to a couple of password and security pros about Simple Assertion Markup Language (SAML). It’s all about getting smarter identity and access management. This makes your life easier because it means the end user has to remember fewer passwords (score!).
Click below to listen to our podcast on how SAML saves businesses time and money. This podcast features two subject matter experts: Bob Geisler, A2U technical architect and Garrick Sobeski, Citrix senior sales engineer.
Prefer to read all about it instead? No worries – we transcribed the podcast Q & A below for easy reference.
Q: What is SAML?
A: (Bob) SAML stands for Simple Assertion Markup Language and it is an implementation that allows you to use your existing credentials to authenticate with a third party.
Q: How does it work?
A: (Bob) It works using certificates and trust relationships between identity provider and the service provider or your home organization and a software as a service product (SaaS) so that you can authenticate against it with a single set of credentials.
(Garrick) Just to build upon what Bob mentioned there, there’s two components. The identity provider is the organization that houses the user authentication database. They have their own user account and password. And a service provider would be a consumer of those users and passwords or the software that’s being used on the service provider side.
Q: What can we do with it?
A: (Bob) You can use the same set of credentials against several different service providers which allows organizations to maintain one set of usernames and passwords for each employee and control things like password resets and password complexity.
(Garrick) We hear a lot of our customers talking about Single Sign On as well. Single Sign On, or SSO, the ability to take the user credentials and have them log in one time and use those credentials and replay them against other forms of access and to other applications so that users don’t have to enter their password numerous times. SAML can really assist in getting that done. Also, maintaining a central user database is very important so when a user is onboarded or leaves the organization the account and the access is maintained in one centralized location rather than multiple.
Q: What kind of software do you need for it?
A: (Garrick) You don’t really need software in particular to get SAML working. It is a feature that is supported by many different products and security appliances. For example, ADFS, or Active Directory Federation Services, is Microsoft’s product that supports their implementation of SAML and the protocol. There are other appliances such as, Citrix Netscaler. Citrix Netscaler can be an identity provider or service provider. And SAML’s one of the protocols that federated identity products such as the support.
(Bob): And to add to Garrick’s response, there’s plenty of programming libraries available out on the internet with open licenses that would allow you to build the SAML stack into your web applications or your project.
Q: Is it secure?
A: (Bob) SAML is secure. SAML is wrapped around the SSL/TLS Stack, which relies upon security certificates and certificate trust to operate.
(Garrick): We talk to a lot of customers that are going through security audits and one thing that security auditors love to see is that you are controlling access to mission critical and high secure applications with a vetted user identity platform that’s centralized. As I mentioned before, if a user was dismissed from an organization or left, protecting that data quickly is a huge matter when it comes to audit finding. When you’re using something like SAML on a centralized user database, when that user leaves the organization you disable their account and they lose access to all forms of mission critical data, and they can’t take that with them. So you can immediately gain or revoke access as needed.
Q: Is it easy to use?
A: (Bob) SAML is very easy to use from the end user perspective, in the sense that the end user will only have to maintain one set of credentials to log into various services.
(Garrick) And from an administrator perspective, those that are managing the infrastructure, SAML is fairly widely and commonly documented in terms of different configurations examples and deployment guides. For example, for Microsoft ADFS, SAML implementation to integrate with something like Citrix NetScaler might be a service provider. There are documents and configuration guides available from every organization. And SAML documentation is fairly easy to find and how to set up different types of federations.
Q: Does it require maintenance?
A: (Bob) SAML requires maintenance in the same sense that SSL servers require maintenance. It relies on security certificates. They have a start date and an end date. As far as additional maintenance, if your service provider changes or something in your organization changes, you may require light maintenance to keep the SAML implementation functioning.
(Garrick): There’s not a whole lot of daily care and feeding for SAML. Once it’s set up, it pretty much just runs. The only time you really change it, as Bob mentioned, is when you’re updating certificates. Also, when you’re bringing in a new organization or dealing with mergers or acquisitions. You might have to federate with another organization and add or remove different federations that you have set up.