posted this on June 09, 2011 10:29 AM
Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their session in another context. This has significant advantages over logging in using a username/password: no need to type in credentials, no need to remember and renew password, no weak passwords etc.
Most companies already know the identity of users because they are logged into their Active Directory domain or intranet. It is natural to use this information to log users into other applications as well such as web-based application, and one of the more elegant ways of doing this by using SAML.
SAML is very powerful and flexible, but the specification can be quite a handful. Now OneLogin is releasing this SAML toolkit for Java applications to enable you to integrate SAML in hours instead of months. We’ve filtered the signal from the noise and come up with a simple setup that will work for most applications out there.
How SAML SSO works
SAML single sign-on works by transferring the user's identity from one place (the identity provider) to another (the service provider). This is done through an exchange of digitally signed XML documents. Consider the following scenario: A user is logged into a system, which acts as an identity provider. The user would like to log in to a remote application such as a support application or accounting application (i.e. the service provider). The following happens:
The users clicks on the link to the application, either on the corporate intranet, a bookmark or similar and the application loads.
The application identifies the user origin (either by application subdomain, user IP address or similar) and redirects the user back to the identity provider, asking for authentication. This is the authentication request.
The user either has a session with the identity provider already, or established one by logging into the identity provider.
The identity provider builds the authentication response in the form of a XML-document containing the user's username or email-address, signs it using a X.509 certificate and posts this information to the service provider.
The service provider (which already knowns the identity provider and has a certificate fingerprint) retrieves the authentication response and validates it using the certificate fingerprint. The identity of the user is established
SAML SSO Flow
The diagram below illustrates the single sign-on flow for Service Provider-initiated SSO, i.e. when an application triggers SSO.
Identity provider-initiated SSO is very similar as it consists only of the last two steps.
OneLogin's Open-Source SAML Toolkits
OneLogin has implemented and open-sourced SAML toolkits for five different web development platforms: