How SAML Single Sign On simplifies login

Many companies are affected by unmanageable growth in user accounts and passwords. Convenient single sign on services not only make it easier for employees but also relieve the burden on IT staff and improve IT security.

Typical users usually accumulate dozens, if not hundreds, of accounts over the years. Every single account needs a username and password. Even with a password manager this can be a difficult task. To make matters worse, many people choose simple passwords and use their passwords multiple times. It is often only a matter of time before a serious incident occurs and attackers manipulate, steal or encrypt important data.

Single Sign On (SSO) is simple

Thankfully the problems caused by managing many usernames and passwords can be solved and SSO is ideal for the job. SSO is a central service that users only need to register with once, afterwards they can then access several different services. SSO also means that users only need to log in once.

A well-known example of an SSO provider is Google. Anyone who has logged on to the Google website can access services such as Gmail, Google Docs, Google Analytics or Google Meet without having to log on again. Even much smaller companies than Google are already using SSO to offer their employees easy and secure access to business applications. It usually doesn't matter whether these programs and services are provided on-premise, remotely or via the cloud.

Understanding Security Assertion Markup Language (SAML)

There are numerous standards and protocols for implementing SSO. One of the most important methods used for Single Sign On is Security Assertion Markup Language (SAML). SAML is an open, XML-based method for exchanging authentication and authorization data between two or more parties, usually an identity management service and an application.

The first drafts of Security Assertion Markup Language are over 20 years old. In 2005, version 2.0 was released, which still plays a decisive role in the implementation of SSO solutions. SAML addresses three components: the user, the identity provider and the service provider. Generally, users make a request to the service provider to use one or more services. Before the service provider can allow access to the service, it contacts the identity provider (IdP). The IdP checks the identity and permissions of the user and grants them access authorizations if appropriate. Once the authorization is sent back to the service provider, the user can access the service.

The identity provider is also known as a “single source of truth”, since only it can validate access. For example, to verify the identity of the user, it may request a username and password. After validating the user’s identity, the identity provider confirms to the service provider that access is authorized and access is then granted by the service provider.

Why SSO is easy to implement with SAML

The real magic of SSO is that it works with multiple service providers. If the user wants to use the services of a second provider, they can also contact the identity provider and check the  user’s authorizations. As a result, the user saves the effort of logging in to several services. The reverse also works: A service provider can have multiple identity providers. Such solutions are encountered on larger websites where users can log in via Google, Facebook or Apple.

SAML is widely successful because it is a very flexible technology. For example, it does not specify how authentication should take place. It only handles communication between the identity provider and the service provider. If an organization already has a database for managing users, it can also be integrated into a SAML SSO system. SAML SSO can be easily implemented for many different system landscapes without the need for complex customizations. The basic scheme does not even have to be changed if a company subsequently decides to introduce multi-factor authentication (MFA).

How to check OpenID and OAuth identities and permissions

In addition to SAML, OpenID and OAuth are often mentioned. The technologies are quite similar, but also have a number of differences. OpenID is an authentication standard. It verifies whether a user is actually who they claim to be. Once a user or entity has been verified, the authorization process begins. Authorization is required for granting the user certain access rights. In most cases, a user is already authorized once they are logged in and can access certain applications or data, for example. OAuth 2.0 can be used for controlling access granularly. For example, a user might be able to access HR data but not financial data which would require additional authorization.

How SSO and SAML work with VPN and the cloud

Secure communications provider NCP has developed an SSO solution based on SAML. The NCP Gateway and the NCP Management Server work together with identity providers (e.g. Okta or Microsoft Azure AD) to verify all user login requests via the SSO portal and approve them if necessary. Users only need to log in once to access several web-based applications easily and securely.