A Beginner's Guide to Single Sign-On (SSO) with SAML

November 21, 2024 · 5 min read

Software Engineer @ IOMETE

In today’s digital world, businesses and users are increasingly using multiple web applications and services than ever before. While it's great to have so many tools at our fingertips, managing a different username and password for each one can be a real headache and what ends up happening is that users tend to use simple credentials leading to significant security risks. Not only does this put personal data at risk, but it can also lead to serious problems for businesses, like data breaches and the loss of sensitive information. This is where Single Sign-On (SSO) becomes essential, it enables users to log in once and seamlessly access all systems. This article explores SAML, a leading SSO protocol, explaining its necessity, internal working, and how to configure SSO in IOMETE with OKTA using SAML.

Why Do We Need SSO?

Single Sign-On (SSO) streamlines user authentication across various applications while enhancing security. By centralizing the login process, it eliminates the need to remember multiple passwords, reducing the risk of weak credentials and phishing attacks.

User Convenience

Users only need to sign in once to access multiple applications.
Reduces the hassle of juggling numerous usernames and passwords.

Improved Security

Minimizes the risk of weak passwords and unauthorized access by managing credentials in one place.
Supports Multi-Factor Authentication (MFA) which adds an extra layer of protection to user accounts.
Eliminates the need to transmit passwords between the Service Provider (SP) and Identity Provider (IdP), enhancing overall security.

Choosing the Right SSO Standard: SAML vs. OIDC

When it comes to Single Sign-On (SSO), two major standards lead the way: SAML (Security Assertion Markup Language) and OIDC (OpenID Connect). Here's a quick look at each:

SAML

XML-based protocol.
Ideal for enterprise-level applications.
Often used when compatibility with legacy systems is important.

OIDC

JSON-based protocol built on OAuth 2.0.
Geared towards modern, lightweight applications.
Popular choice for mobile apps and web-based scenarios.

What is SAML?

SAML, or Security Assertion Markup Language, is an XML-based open standard that facilitates the exchange of authentication and authorization data between two parties: an Identity Provider (IdP) and a Service Provider (SP).

Identity Provider (IdP): This is the entity that verifies the user's identity. For example, services like Okta serve as IdPs.
Service Provider (SP): This is the application or service the user wants to access, such as Iomete.

Understanding How SAML Works Behind the Scenes

Here's a step-by-step look at the SAML authentication flow between the Service Provider (SP) and the Identity Provider (IdP):

SAML Working

1. User Attempts to Access SP Resource

It all starts when a user attempts to access a protected resource or service offered by the Service Provider (SP) like IOMETE.

2. SP Sends an Authentication Request to the IdP

Realizing it needs to verify the user's identity, the SP sends a SAML AuthnRequest to the Identity Provider (IdP) via the user's browser. This request includes:

Destination: The URL of the IdP endpoint that will handle the authentication.
AssertionConsumerServiceURL: Where the IdP should send the authentication response after verifying the user.
ProtocolBinding: Specifies how the response will be transmitted (usually via HTTP-POST).

3. IdP Authenticates the User and Creates an Assertion

The IdP steps in to authenticate the user, which might involve entering a username and password or using multi-factor authentication. Once the user is verified, the IdP:

Generates a SAML Assertion containing the user's identity and relevant attributes like roles or email.
Digitally signs the assertion to ensure it hasn't been tampered with.

4. IdP Sends the SAML Response Back to the SP

The IdP sends a SAML Response back to the SP, again through the user's browser. This response includes:

The SAML Assertion with the user's details.
A Status element indicating whether the authentication was successful.

The response is directed to the AssertionConsumerServiceURL specified earlier.

5. SP Validates Assertion and Grants Access

Back at the SP, several checks happen:

Verifying the Digital Signature: Ensures the response genuinely comes from a trusted IdP.
Checking Assertion Validity: Confirms the assertion hasn't expired and is intended for the SP.
Granting Access: If everything looks good, the SP allows the user to access the requested resource based on their attributes.

How to configure SSO in IOMETE?

Follow this in-depth guide and set up SSO in IOMETE with OKTA using SAML

Conclusion

SAML has become a go-to standard for Single Sign-On, offering both convenience and robust security in enterprise environments. By connecting Identity Providers like Okta with Service Providers such as Iomete, SAML enhances the user experience while maintaining strict security measures. Whether you're modernizing your organization's IT infrastructure or integrating new applications, SAML is a critical tool for efficient and secure user authentication.

Why Do We Need SSO?​

User Convenience​

Improved Security​

Choosing the Right SSO Standard: SAML vs. OIDC​

SAML​

OIDC​

What is SAML?​

Understanding How SAML Works Behind the Scenes​

1. User Attempts to Access SP Resource​

2. SP Sends an Authentication Request to the IdP​

3. IdP Authenticates the User and Creates an Assertion​

4. IdP Sends the SAML Response Back to the SP​

5. SP Validates Assertion and Grants Access​

How to configure SSO in IOMETE?​

Conclusion​