Advertisment

Security Assertion Markup 

author-image
PCQ Bureau
New Update

An enterprise has applications such as portals, ERP and databases running, which users access concurrently. These applications have their own security services protecting them. Every time users access these applications, new authentication information has to be submitted. The end result is too many applications all having their own security systems which cannot exchange this information among themselves. So far, the solution has been to implement separate services to connect app- lications and exchange security tokens. This results in one security service handling user authentication information, one managing passwords and another the access control list.

Advertisment

SAML or the Security Assertion Markup Language was developed by OASIS (Organization for the Advancement of Structured Information Standards). It is an XML- based framework designed to authenticate the user only once irrespective of the applications to be accessed, by transferring security information (authentication, attribute and authorization). SAML doesn't perform authentication by itself but transfers the user-related security information to the applications requiring it. This information is stored centrally and is accessed by the security services and the applications. 

How SAML works



There are three basic components of the SAML framework: assertion, protocol and binding. An assertion is a transfer of facts or security information about a subject (name of a person or PC) at a particular time. For example, an SAML assertion may look like

'sushil@test.com logged in at this 2004-02-06T19.22:05', where sus- hil is the subject. An assertion can have three types of statements: authentication, attribute and an authorization decision. 

Direct Hit!
Applies to:

CTOs and CIOs
USP:

Learn about single sign-in framework
Links:

http://www.oasis-open.org/specs/index.php#samlv2.0 
Advertisment

Authentication validates the user. The specific information about the user is referenced through one or more attributes and the authorization decision decides what the user is authorized to do. For instance, if sushil is associated with an attribute 'department' that has a value 'HR' then he is authorized to visit the HR website.

The transfer of security information occurs between the issuing authority and the relying party. The issuing authority includes the third party service providers such as Microsoft, IBM and VeriSign while the relying party is the end user. The issuing authorities use their own authentication methods such as PKI, hash, Kerberos and password. When a user signs into an SAML- enabled service or website, the service sends a 'request' for authentication to the issuing authority. The issuing authority returns an authentication reference (a 'response') that the service can pass to other sites. Later when the same user visits another SAML-enabled site that requires authentication, the site simply uses the previous reference to authenticate the user without requiring to do the whole process again. 

Request/response flow between the issuing authority and the end user with an associated assertion

Advertisment

HTTP is the commonly used communication protocol for SAML. And binding is the mapping of SAML request/response message to the communication protocol. SAML 1.0 was approved in 2002, 1.1 in 2003 and the latest version 2.0 in March 2005. Version 2.0 has added features such as global logout and attribute sharing along with interoperability with the identity management framework-namely from the Shibboleth and Liberty alliances. Companies such as IBM, Oracle, BEA System and SAP have announced support for SAML 2.0. 

Benefits and risks



The SAML framework allows enterprises to share the security information with other enterprises in a controlled manner. Thus, enterprises can provide access to their respective applications securely. Mostly, single sign-in uses browser cookies to prevent re-authentication, but these are not transferable between websites. Single authentication can be provided for different websites that are SAML enabled. Thus, with a single username and password use your ERP,CRM and SCM applications. Plus, interoperability with Web services security standards will improve. But along with these benefits, the SAML framework is also vulnerable to security attacks such as replay, DNS spoofing and HTTP Referer attacks. These risks can be mitigated by proper patching and configuration. For example, HTTPS (using SSL or TLS) can be used to eliminate HTTP referer attack. 

A case study 

General Motors (GM) one of the largest vehicle manufacturers has an employee portal called 'MySocrates'. It provides a single-point access to hundreds of internal GM sites. The portal is accessed by 32,000 concurrent users and has 3 million hits per hour. The disadvantage was that the employees were not able to retrieve information as and when required and a number of usernames and passwords were required to be remembered. Plus employees had to authenticate to each third-party security service. To overcome this, GM-a member of Liberty alliance-decided to implement a pilot project using Liberty Identity Management framework for 'single sign in' in 2003. This framework adhered to SAML 1.1 standard.With this framework, GM integrated internal and external systems and offered optional single sign-in facility. In addition, employees were given the option of setting their own profiles and access levels.

In less than three years of its existence, SAML has not yet been widely adopted by enterprises. It will be accepted gradually once the real benefits are proven.

Sushil Oswal

Advertisment