📖 What is Security Assertion Markup Language (SAML)?
Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). It enables Single Sign-On (SSO) across different security domains.
"SAML is the backbone of enterprise SSO. Remember that the IdP authenticates the user, and the SP trusts the assertion provided by the IdP."
📚 Certification: Certified Information Systems Security Professional (CISSP)
🔑 What are the Key Concepts of Security Assertion Markup Language (SAML)?
- ▸ The Identity Provider (IdP) authenticates the user and issues assertions, while the Service Provider (SP) relies on those assertions to grant access to resources.
- ▸ SAML Assertions are XML-based statements containing user identity and attributes, digitally signed by the IdP to ensure the data has not been tampered with.
- ▸ Federated Identity allows users to use a single set of credentials to access applications across different organizational boundaries through a pre-established trust relationship.
- ▸ The trust relationship is established by exchanging metadata, which includes the IdP's public key, allowing the SP to verify the digital signatures on assertions.
- ▸ SAML enables Single Sign-On (SSO) by decoupling the authentication process from the application, reducing the attack surface by limiting where credentials are stored.
🎯 How does Security Assertion Markup Language (SAML) appear on the CISSP Exam?
You may be asked to select the most appropriate protocol for a corporate environment that needs to provide employees access to a third-party cloud HR system without creating new accounts.
A scenario might describe a security breach involving forged identity tokens; you will need to identify that the lack of digital signature verification on SAML assertions allowed the unauthorized access to occur.
Expect questions about the architectural flow of a SAML transaction, specifically identifying which entity is responsible for the initial authentication versus which entity provides the actual resource or service.
❓ Frequently Asked Questions
How does SAML differ from OAuth 2.0 and OpenID Connect (OIDC)?
SAML is an XML-based standard primarily used for enterprise SSO and authentication. OAuth 2.0 is an authorization framework for API access, while OIDC is a lightweight identity layer built on top of OAuth 2.0 using JSON.
What happens if the trust relationship between the IdP and SP is compromised?
If the IdP's private key is stolen, an attacker can forge valid SAML assertions, allowing them to impersonate any user. This highlights the critical importance of protecting the IdP's signing keys.