Overall SAML principles and terms
SAML is an open standard for exchanging authentication and authorization data between parties, specifically between an identity provider and a service provider. This document provides an overview of SAML principles and key terms to help you effectively configure and manage SAML with Knocknoc.
What is SAML?
SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. It allows secure domains to exchange user data, enhancing the ability to support single sign-on (SSO) – a process that allows users to access multiple services with one set of credentials.
Key Components of SAML
- Identity Provider (IdP): An entity that creates, maintains, and manages identity information while providing authentication services to service providers. EG OKTA, EntraID, Jumpcloud
- Service Provider (SP): An entity that provides services, like web applications, and relies on the IdP for authentication. EG Knocknoc
- Assertion: A package of information that supplies one or more statements made by the IdP about a user. This can include attributes about the user, authentication information, and entitlements.
SAML Assertions
Assertions are the key element of SAML. They are XML documents that contain:
- Authentication Statement: Information about the authentication act (e.g., when and how the user authenticated).
- Attribute Statement: Information about the user (e.g., user’s name, email).
- Authorization Decision Statement: Information about what the user is allowed to do.
SAML Protocols, Bindings and Profiles
SAML defines a set of protocols for requesting and delivering assertions:
- Authentication Request Protocol: Used by SPs to request authentication from an IdP.
- Assertion Query/Request Protocol: Allows SPs to request specific assertions.
Bindings are the mechanisms used to transport SAML messages between parties. Examples include HTTP Redirect, HTTP POST, and SOAP.
Profiles are methods of combining various SAML elements (assertions, protocols, and bindings) to support specific use cases. The most common is the Web Browser SSO Profile.
Security Considerations
SAML is a more secure way to authenticate users, as the SP never gets the password of the user. However, security is paramount in SAML implementations. Key considerations include:
- Message Confidentiality and Integrity: Using digital signatures and encryption to protect messages. Knocknoc signs messages with a separate certificate.
- Trust Establishment: Ensuring that messages are exchanged between trusted parties, often through X.509 certificates. You will need proper trusted SSL certificates when working with SAML
Implementing SAML in Knocknoc
When configuring SAML in Knocknoc:
- Identify Your IdP and SP: Knocknoc is the SP, and your provider is the IdP (eg Okta)
- Configure Assertions: Customize the assertions to include the necessary user information.
- Select Bindings and Profiles: Choose appropriate bindings and profiles based on your use case.
- Test the SAML Flow: Ensure that the authentication flow works as expected and is secure.
- Monitor and Update: Regularly monitor the SAML setup and update as necessary, considering any new security patches or compliance requirements.