Overall SAML principles and terms
An overview of SAML principles and key terms to help you effectively configure and manage SAML with Knocknoc.
What is SAML?
SAML is an open standard for exchanging authentication data between parties, specifically between an identity provider and a service provider. An XML-based framework for communicating user authentication, entitlement, and attribute information. It allows secure domains to exchange user data, enhancing the ability to support single sign-on (SSO) – a process that allows users to access multiple services with one set of credentials.
Key Components of SAML
- Identity Provider (IdP): An entity that creates, maintains, and manages identity information while providing authentication services to service providers (e.g OKTA, EntraID, Jumpcloud).
- Service Provider (SP): An entity that provides services, like web applications, and relies on the IdP for authentication (e.g Knocknoc).
- Assertion: A package of information that supplies one or more statements made by the IdP about a user. This can include attributes about the user, authentication information, and entitlements.
SAML Assertions
Assertions are the key element of SAML. They are XML documents that contain:
- Authentication Statement: Information about the authentication act (e.g when and how the user authenticated).
- Attribute Statement: Information about the user (e.g user’s name, email).
- Authorization Decision Statement: Information about what the user is allowed to do.
SAML Protocols, Bindings and Profiles
SAML defines a set of protocols for requesting and delivering assertions:
- Authentication Request Protocol: Used by SPs to request authentication from an IdP.
- Assertion Query/Request Protocol: Allows SPs to request specific assertions.
- Bindings: Mechanisms used to transport SAML messages between parties (e.g HTTP Redirect, HTTP POST and SOAP).
- Profiles: Methods of combining various SAML elements (assertions, protocols, and bindings) to support specific use cases. The most common is the Web Browser SSO Profile.
Security Considerations
SAML is a more secure way to authenticate users, as the SP never receives the password of the user. However, security is paramount in SAML implementations. Key considerations include:
- Message Confidentiality and Integrity: Using digital signatures and encryption to protect messages. Knocknoc signs messages with a separate certificate.
- Trust Establishment: Ensuring that messages are exchanged between trusted parties, often through X.509 certificates. You will need trusted SSL certificates when working with SAML.