What is SAML authentication and who needs it?
Managing user access to cloud resources is one of the main problems for the safe use of cloud applications in a corporate environment. With the proliferation of numerous service concepts of SaaS, PaaS and IaaS, managing access policies, including the organization of strong authentication for each application, creates a certain burden on the IT departments of enterprises. Users have to keep numerous logins and passwords in their memory, which inevitably leads to the loss of passwords, reduced productivity and annoying users. Up to 20% of all support calls are related to the recovery of lost or forgotten passwords.
Moreover, IT departments often do not have information about which specific applications the particular users are working with and how often these applications are accessed, which in fact leads to the formation of shadow IT and reduces the effectiveness of resource management. From the point of view of access control, the following question also arises: how can you guarantee that if an employee leaves the company, he will stop using corporate applications? Finally, even though it is possible to secure access to cloud resources by means of multifactor authentication, IT departments often do not have information about which employees still took care of using such authentication. As a result, the likelihood of data compromise, the threat of phishing, brute force, hacking of cloud databases and other threats increases.
In the absence of centralized access control tools, the use of cloud-based applications in a corporate environment often does not provide for effective scaling mechanisms, leading to security breaches, increased administrative workload, user annoyance, and reduced organizational efficiency.
')
In 2015, the identity theft Resource Center Identity Theft Resource Center (ITRC) said that data leaks are also inevitable in our lives, like death and taxes. Under the conditions of this new reality, John Fontana from ZDNet proposes to understand user accounts as the new perimeter of security, and to work with such a perimeter use new tools based on standards.
The SAML (Security Assertion Markup Language) markup language is an open, XML-based standard for exchanging authentication and authorization data between parties to a process. Established as a standard since 2002, SAML is the development of the Security Services Technical Committee, which works with the organization OASIS, which promotes standards for working with structured information. Using the SAML protocol, users can access many of their cloud applications by specifying just one login and password. This approach was called the “identity federation”, because instead of memorizing a whole variety of logins and passwords for each application, the user only needs to remember one such pair. In identity federation, a unified system that supports the SAML protocol and is called a trusted identity provider (Identity Provider, IdP) authenticates users, and cloud applications “throw” the authentication process to this IdP system whenever a user attempts to access them.
The identity federation and single sign-on system eliminates the many complexities and problems associated with the need to separately manage logins and passwords to access multiple web applications, no matter if they are implemented within the organization, or are external. The federation was made possible by the application of standards, and the SAML protocol acts as a cornerstone in architecture and is the main standard for identity federation. In addition, the widespread adoption of this protocol and the growth of its popularity have also become important benefits of SAML.
Since the standard is based on the XML markup language, SAML is extremely flexible. A single SAML implementation is enough to support a single sign-on (SSO) service connection for many different federation partners. This compatibility provides SAML with certain advantages over other, closed SSO mechanisms, in particular, SAML allows organizations not to limit themselves to the decisions of any particular supplier, it enables them to switch from one SAML authentication platform to another.
To demonstrate the flexibility and compatibility of SAML, the Kantara initiative implemented an interoperability testing program, where SAML solution providers confirmed the interoperability of their standard boxed solutions with other vendors' SAML projects. To date, the Kantara Trust Registry has more than 80 certified solutions from numerous suppliers and organizations from around the world.
SAML authentication uses the ability to exchange account data between a trusted identity provider (IdP) and cloud or web applications. The SAML authentication model includes an identity provider that issues a 'SAML assertion' (SAML assertions) - such a provider can be, for example, the SafeNet Authentication Service - and a service provider that accepts these confirmations, such as Google Apps, Office 365 or Any other cloud application that supports SAML. SAML confirmations are usually signed with a PKI signature, which serves as proof that the confirmation is authentic.
The authentication service, acting as an identity provider, obtains user credentials and returns the response to the cloud application that is being accessed. This response is called SAML confirmation. Depending on the contents of the SAML assertion, the cloud application either accepts or denies the user access. If the SAML confirmation contains a positive response, then the user logs on.
A key aspect of implementing identity federation with SAML is mapping users to an identity provider (IdP) and service providers so that when a user accesses services like Office 365, these services understand which identity provider they need to redirect the user to go through a strong authentication procedure.
SAML allows you to extend the scope of application of existing corporate user accounts and cloud applications. Thanks to the federated identity authentication system, users can completely do without memorizing multiple logins and passwords. They will be able to access all of their cloud applications using the same corporate account, that is, the same account, indicating that they log on to the network every morning.
From the users ’point of view, the SAML-based federated identity verification system works seamlessly and seamlessly. SAML uses cookies, so that after logging in to Office 365, the user does not need to re-authenticate when logging in to other cloud applications in new browser tabs, such as Dropbox, WordPress, Salesforce, etc.
Apart from the fact that SAML authentication helps save users from having to remember multiple logins and passwords, this technology allows IT administrators to manage just one pair of user credentials for all applications. Therefore, when an employee leaves the organization, the IT department only needs to cancel one pair of username and password. In this case, the account can be canceled without the need to log into each individual cloud application. Automated scripts minimize the administrative burden on IT by synchronizing with user account storage systems such as MS SQL or Active Directory.
If you imagine IT infrastructure in the form of an office building, then a federated identity authentication system using SAML could provide company employees with easier and more convenient access to various areas of this building - cabinets, conference room, recreation area, dining room, etc. . - with just one access card instead of having separate cards for each room.
To all those who are faced with the need to control user access to cloud applications, and at the same time must achieve high efficiency, security and scalability of this process. Web applications have been widely used in corporate environments for many years, and there are probably only very few companies left without them.
Moreover, IT departments often do not have information about which specific applications the particular users are working with and how often these applications are accessed, which in fact leads to the formation of shadow IT and reduces the effectiveness of resource management. From the point of view of access control, the following question also arises: how can you guarantee that if an employee leaves the company, he will stop using corporate applications? Finally, even though it is possible to secure access to cloud resources by means of multifactor authentication, IT departments often do not have information about which employees still took care of using such authentication. As a result, the likelihood of data compromise, the threat of phishing, brute force, hacking of cloud databases and other threats increases.
In the absence of centralized access control tools, the use of cloud-based applications in a corporate environment often does not provide for effective scaling mechanisms, leading to security breaches, increased administrative workload, user annoyance, and reduced organizational efficiency.
')
Cloud Access Control: Identity as a New Security Perimeter
In 2015, the identity theft Resource Center Identity Theft Resource Center (ITRC) said that data leaks are also inevitable in our lives, like death and taxes. Under the conditions of this new reality, John Fontana from ZDNet proposes to understand user accounts as the new perimeter of security, and to work with such a perimeter use new tools based on standards.
SAML authentication
The SAML (Security Assertion Markup Language) markup language is an open, XML-based standard for exchanging authentication and authorization data between parties to a process. Established as a standard since 2002, SAML is the development of the Security Services Technical Committee, which works with the organization OASIS, which promotes standards for working with structured information. Using the SAML protocol, users can access many of their cloud applications by specifying just one login and password. This approach was called the “identity federation”, because instead of memorizing a whole variety of logins and passwords for each application, the user only needs to remember one such pair. In identity federation, a unified system that supports the SAML protocol and is called a trusted identity provider (Identity Provider, IdP) authenticates users, and cloud applications “throw” the authentication process to this IdP system whenever a user attempts to access them.
SAML Identity Federation
The identity federation and single sign-on system eliminates the many complexities and problems associated with the need to separately manage logins and passwords to access multiple web applications, no matter if they are implemented within the organization, or are external. The federation was made possible by the application of standards, and the SAML protocol acts as a cornerstone in architecture and is the main standard for identity federation. In addition, the widespread adoption of this protocol and the growth of its popularity have also become important benefits of SAML.
Since the standard is based on the XML markup language, SAML is extremely flexible. A single SAML implementation is enough to support a single sign-on (SSO) service connection for many different federation partners. This compatibility provides SAML with certain advantages over other, closed SSO mechanisms, in particular, SAML allows organizations not to limit themselves to the decisions of any particular supplier, it enables them to switch from one SAML authentication platform to another.
To demonstrate the flexibility and compatibility of SAML, the Kantara initiative implemented an interoperability testing program, where SAML solution providers confirmed the interoperability of their standard boxed solutions with other vendors' SAML projects. To date, the Kantara Trust Registry has more than 80 certified solutions from numerous suppliers and organizations from around the world.
How does SAML authentication work?
SAML authentication uses the ability to exchange account data between a trusted identity provider (IdP) and cloud or web applications. The SAML authentication model includes an identity provider that issues a 'SAML assertion' (SAML assertions) - such a provider can be, for example, the SafeNet Authentication Service - and a service provider that accepts these confirmations, such as Google Apps, Office 365 or Any other cloud application that supports SAML. SAML confirmations are usually signed with a PKI signature, which serves as proof that the confirmation is authentic.
The authentication service, acting as an identity provider, obtains user credentials and returns the response to the cloud application that is being accessed. This response is called SAML confirmation. Depending on the contents of the SAML assertion, the cloud application either accepts or denies the user access. If the SAML confirmation contains a positive response, then the user logs on.
A key aspect of implementing identity federation with SAML is mapping users to an identity provider (IdP) and service providers so that when a user accesses services like Office 365, these services understand which identity provider they need to redirect the user to go through a strong authentication procedure.
Identity Federation for centralized user access control
SAML allows you to extend the scope of application of existing corporate user accounts and cloud applications. Thanks to the federated identity authentication system, users can completely do without memorizing multiple logins and passwords. They will be able to access all of their cloud applications using the same corporate account, that is, the same account, indicating that they log on to the network every morning.
From the users ’point of view, the SAML-based federated identity verification system works seamlessly and seamlessly. SAML uses cookies, so that after logging in to Office 365, the user does not need to re-authenticate when logging in to other cloud applications in new browser tabs, such as Dropbox, WordPress, Salesforce, etc.
Benefits of SAML-based Identity Federation
Apart from the fact that SAML authentication helps save users from having to remember multiple logins and passwords, this technology allows IT administrators to manage just one pair of user credentials for all applications. Therefore, when an employee leaves the organization, the IT department only needs to cancel one pair of username and password. In this case, the account can be canceled without the need to log into each individual cloud application. Automated scripts minimize the administrative burden on IT by synchronizing with user account storage systems such as MS SQL or Active Directory.
If you imagine IT infrastructure in the form of an office building, then a federated identity authentication system using SAML could provide company employees with easier and more convenient access to various areas of this building - cabinets, conference room, recreation area, dining room, etc. . - with just one access card instead of having separate cards for each room.
Who may need SAML?
To all those who are faced with the need to control user access to cloud applications, and at the same time must achieve high efficiency, security and scalability of this process. Web applications have been widely used in corporate environments for many years, and there are probably only very few companies left without them.
Source: https://habr.com/ru/post/322316/
All Articles