SAML in Java
Generally, all the users need to enter a username and password to log in to any application. Otherwise, the application page will not open. SAML stands for Security Assertion Markup Language.
To understand what SAML is, we need to know what SSO is.
SSO (Single Sign-on)
Single sign-on (SSO) is a system that enables users to securely authenticate with multiple applications and websites by logging in only once with one set of credentials, that is, username and password. With SSO, the application or website the user tries to access on a trusted third party to verify that users are who they say they are.
How does Authentication Work without SSO?
Without a single sign-on, each website maintains its database of users and their credentials. That happens when we try to log in to an app or website.
The authentication verification data is usually passed as either cookies with session data or as tokens, which do not track the session and are faster to process.
Single sign-on is an agreement between three entities.
Individuals need to access different services, and users should be able to manage personal information, such as their passwords, which should be uniquely identifiable.
An "Identify provider" tells us more about that user, and it is the source of truth for not only who this person is but also what roles they are- those roles, in turn, inform other systems about what this person is allowed to do.
Service providers are traditional applications, but they can include all sorts of products and services, such as WIFI access, our phone or "Internet of Things" devices like smart locks or a refrigerator.
So, the service provider should not be limited to the concept of either a web application or even an API or anything like that.
To create a single sign-on experience, we need to know about protocols.
The three main ways we log into systems today are basic authorization and a basic username and password, and we have been doing it forever.
There are three main protocols:
Basic Auth: A simple username and password schema on an app, by app basis.
OAuth: The API security model relies on an outside Identity provider and a key store to grant and deny access to APIs.
SAML: A web-based model that allows a third-party application or service to validate the user's identity and retrieve details about that user.
Advantages of SSO
What is SAML?
SAML is one of the protocols that help us to implement this SSO. So, it is the security assertion markup language, an XML-based protocol, to implement this SSO, and it facilitates both authentications and authorization.
What is an SSO Token?
It is a collection of information or data which will be passed from one system to another system while the SSO is during the process.
The data of SSO will be a user's email address and the information about which system is sending the token. The token is verified first before authentication, and the receiver of the token should digitally sign it to confirm whether the token is coming from a natural source or not.
The digital signature certificate is exchanged during the initial configuration process.
Let us know whether the SSO is secure or not.
Is SSO Secure or Not?
As SSO must improve security, there are many reasons. A Single sign-on solution will modify and simplify the username and password management credentials for both the users and the administrators. As we know, users will no longer keep track of many usernames and passwords and will remember one more complex password. SSO will help users for accessing their applications very fast and quick.
SAML and its works
SAML is used for authentication, and it is an open standard. Web applications transfer data between two providers based on the Extensible Markup Language (XML), and the providers are the identity provider (IDP) and the service provider (SP).
When we want to simplify the authentication process, the technology industry has created SAML so that users can access many independent web applications in many domains. We already discussed SSO, single sign-on, which relies on cookies that lie only under the same field. It uses an identity provider to achieve the above scenario by centralizing the user's authentication. Thus, web applications use SAML through an identity provider to grant access to the users. So this tells us that users do not need to remember their usernames or passwords. It also benefits service providers by increasing the platform's security, mainly avoiding storing the passwords and not having the facility to address when users forget their passwords. It will increase their platform's safety, avoid storing passwords, and not address overlooked issues.
Benefits of SAML
There are many benefits, and SAML is a widely adopted enterprise solution. Mainly, it improves the user experience as we only need to sign in once to access multiple web applications. We need to remember one set of credentials and speed up the authentication.
The organization will also benefit from this feature by asking for some help desk calls to reset passwords.
SAML offers increased security in addition to improving the user experience. As we know, identity provider stores will not store user credentials on their system. Apart from these, the identity provider specializes in providing secure SAML authentication. Also, they have the economies of scale to invest time and resources by implementing multiple layers of security.
For example, IDPs have comprehensive identity security solutions that will include built-in features such as multi-factor authentication (MFA) that protect against common password attacks.
Working of SAML
As we discussed, SAML will work by exchanging information about the user, like logins, state of authentication, identifiers, and other relevant attributes between the identity and service provider. It also simplifies and secures the authentication process, as the user only needs to log in once with perfect authentication credentials. When accessing the site, the identity provider passes the SAML authentication to the service provider.
Apart from service providers, organizations must conform to our identity before accepting requests.
Let us consider an example of the airline industry. Before we board an aircraft, the airline will confirm who we are to ensure the security of the remaining passengers. The aircraft members will verify our identity with some of our ID proofs or any government-issued picture identification. Once they confirm our name matches the given identity on the airline ticket, they will allow us to board the aircraft.
Let us assume that government is the identity provider, and the airline is the service provider. The government gave our identification the SAML assertion. When we apply for a government ID, we need to fill out a form with a picture of ours, and in some cases, they ask for our fingerprints as well. The service provider (Government) will store the information regarding the identifying attributes in their database and issue us a physical ID along with our identity.
In the above airline example, when we arrive at the gate, the service provider (airline) checks our ID (SAML) assertion. Then, the airline will accept our ID as it contains our details when they match with their database details about us. After all these formalities, the airline will allow us to board the aircraft. If any details are not matched, it will not allow us to move in the aircraft.
What is SAML SSO?
SAML Single sign-on is a process that facilitates SAML, which allows users to log on to multiple web applications only after logging into the identity provider. SAML SSO will enable the user to log in faster, with the user's experience.
SAML SSO is easy to use and more secure from the user's perspective as they only need to remember one set of user credentials. It also provides fast and seamless access to each site as every application they access will not prompt them to enter a username and password.
The users can also log into the identity provider and access their relevant web applications by clicking the site through the URL provided by the web application.
In addition to the benefits for the user, SAML SSO will provide additional benefits like increasing the productivity for the Help Desk and User. Now, users can not waste their time by logging into many web applications with different sets of credentials for every website. Also, they will not try resetting the password provided in the Help Desk and let the service team investigate the other security issues.
It increases the user's satisfaction and productivity, and SAML SSO also helps reduce costs. For example, the Help Desk can manage the class to a specific limit. They not only implement the authentication for their solution, but they can also subscribe to an identity provider so that the cost of building the labour is reduced and can be maintained internally.
OAuth is used in different ways in different projects. OAuth is called Authorization, and more importantly, it was meant for a service to authorize another service.
Let us take a classic example of a photo printing service. We must have seen websites where we give them an image and file and pay them to print a photo to our home address. Imagine if we are starting a new photo printing business that lets people upload pictures to our website, and they can order prints of these photos. We have to code our website and apply then people sign up. Nobody keeps their photos on machines anymore, and they will use "cloud" we keep getting the feature request like "Please add google drive and import feature XYZ" to provide users with the ability to import their photos from google drive and then print it directly from there without the users having to download and upload again.
We need to connect to the user's google drive account and access their files to import from google drive.
We have to solve the problem of services trying to access each other on behalf of the user, there was a standard created called OAuth with version 1.0 standard, but the current version is OAuth 2.0 and is the most widely used.
How does OAuth work?
A commonly used analogy to help people understand OAuth is that this is a valid key model for cars. We heard about parking valets, and the idea is rich guy drives up to a parking garage, gets down, and hands the keys to the valet for parking the vehicle.
Some vehicles come with an additional valet key, like a primary car key but with reduced access. The valet key can start and stop the vehicle, but it cannot open the trunk and cannot open the fuel tank.
Here the vehicle owner uses two services: the vehicle service and the valet service. The valet service needs access to the vehicle service directly to do the job rather than giving the complete credentials of the vehicle service to the valet service. Rather than providing the master key to the valet service, the vehicle owner gives reduced or limited access to the vehicle service by delivering the valet key.
It is similar to the working of the OAuth. OAuth, in general, is an authorization mechanism where services can authorize against each other on our behalf once we have permitted them. It is often referred to as delegated access for this reason.
OAuth and SAML are protocols, and we use them to access web applications. The main difference is that we use SAML for authentication and OAuth for Authorization.
Let us consider the airline technology again, the SAML assertion is the passenger's ID, and the OAuth token is the ticket. The airline will use the ID to verify the identity of passengers before allowing them into the plane. Once the passengers aboard the plane, the flight attendants will check whether the passengers are on the plane to confirm that they are on the plane or not and to check the status of the passengers.
Example of SAML
SAML uses claim bases authentication workflow. When we try to access a site, the service provider asks the identity provider to authenticate the user.
The service provider then uses the SAML assertion given by the identity provider to grant access to the user. Let us discuss this with an example.
How does SAML Work?
As we all know, SAML is an open standard that verifies the user's identity and offers authentication. In any software scenario, an employee must log on to receive access for doing any company-related activities and get access to any part of the company's inner function.
When the user completes their authentication, the user can access a browser. Microsoft Office, intranet, and SAML will allow users to check all the resources with a single digital signature.
Some companies are stringent in that SAML only allows the user to open the door or unlock the computer screen. In this situation, authorization is required before accessing to do anything, including accessing the files.
The network administrations will use SAML to manage users from a central location. One password can unlock all the services a person needs and protect the company's security.
The SAML workflow looks like this:
So, the workflow will allow a service provider, a browser, and an identity provider to trade information continuously. The user will not notice the delay, as this process is typically handled in seconds.
How does OAuth Work?
"auth" means authentication or authorization, and for the OAuth protocol, we mean specifically approval. The protocol is used to pass the authentication from one service to another, all while protecting someone's username and password.
Sometimes, all the employees skip a way to move from one app to another without logging them again. OAuth makes all these possible.
Let us consider employees with google with an active account. So that they can use the same credentials for tapping the data found on:
The employees must need these web-based programs to do the right job. But the same person may confuse by creating five different usernames and passwords.
Duplicating the username and password makes us ruining the security of the software. If one site fails, the user's data will be exposed and vulnerable on all the platforms. When we log on to another place with validation provided by the first is very different.
Some consumers will worry about data mining and suggest using a tool like some companies like Facebook has too much power. Whenever a user login other apps and sites, Facebook will gain more consumer insight. If Facebook's data is compromised, that person's additional data or logins will also fail.
Most of the employees are happy and thankful for the ability to save time during busy, stressful periods.
The OAuth workflow looks like this:
There are mainly three SSO protocols. They are:
IT administrators must select a protocol or framework to deploy to stay federated identity when devising a plan to keep data and identity secure. So, they will use Single sign-on (SSO).
Single sign-on allows employees to log into the application once on the network without repeating that because, as per research, 170 to 200 applications are being used and deployed by companies. So, imagine if an employee needs to input the username and password each time they log into an application or need to access it.
While it is undoubtedly convenient for the employees to use Single sign-on, it is also suitable for IT administrators and IT security teams to use Single sign-on for identity and access management.
As we discussed, we have three protocols to choose from because it is not easy. Because the top two are SAML which is security assertion markup language, and OAuth, which is Open Authorization.
So, let us look at the differences between these protocols and recommend which one to choose.
Security Assertion Markup Language (SAML)
SAML is a protocol that lets an identity provider, where we manage our usernames, transmit a user credential to a service provider. At the same time, the service provider is the application users are logging into. So, a protocol lets an identity provider transmit the credentials to a service provider to authenticate and authorize, which is the main difference between SAML and OAuth.
SAML authenticates a user and authorizes the user simultaneously; OAuth is only used for Authorization purposes. If someone simplifies password management and enables SSO, it will help enterprises because employees will use more and more applications.
The user will request a service provider resource, then redirects the user to the SAML login page, where they input the username and password. These SAML identity providers communicate with the backend user database and where the user's credentials are stored. Once the verification takes place, the exact identity provider sends a SAML response to the service provider, and the user is authenticated.
From the Open Authorization perspective, the latest protocol is 2.0. It provides secure delegated access by giving access tokens to third-party service providers without exposing the user credentials. However, it only authorizes the user and does not authenticate them for the authentication purposes we need to open ID connect. For this purpose, identity providers or those that create or manage identities use OIDC. Users can first sign in with their IDP or identity provider and access the applications without logging on and sharing credentials. So, as we can see, it is mainly the same approach used by SAML.
Differences between SAML and OAuth
SAML is designed for Authentication and Authorization, while OAuth was only built for Authorization. So, token utilization differs from the envelope of credentials that users will store as a token. The SAML token is known as a SAML assertion; in OAuth, it is known as an access token.
From the flow perspective, when the user logs into the service, as we demonstrated earlier, the first step is to use Authentication for SAML. Then the service provider makes a similar Authentication request to IDP, and it redirects the user to a browser for the IDP Authentication as we have seen earlier, so from the open Authorization perspective, the process is the same except there is no encryption, and this is another difference. There is no encryption of the access tokens, and only Authorization is granted, so encryption is another difference because the OAuth protocol does not have any encryption for the tokens. It relies totally on SSL or TLS to add security for communication.
The main difference is token, flow and encryption. So, it tells us when we use SAML versus OAuth.
It is good to use Open Authentication or Authorization.
A basic example of OAuth
Let us take a real example to illustrate this protocol. Let us suppose we have a client and we have a server. When a client requests the server, the server sends it back to the Authorization code, and then the client uses that Authorization code. Since that code is to the server and then the server returns to the access token, with the help of this access token, the user can access the API and request the user's profile information.
Let us talk about what is used in the previous example.
If there are many accounts for a particular user and if we select the special report and with the help of this authorization code, we allow specific information scopes.
We can also say that it is requesting some scope information, which is the first step in OAuth2. The user will also grant access to certain kinds of available scopes. Scopes are nothing but what type of information our app exchanges for the user. This authorization code is exchanged for an access token with the access token granted by the server to the application. So, this is all about the authorization code.
Scope in OAuth2
The scope is the kind of information that the app requests in the application. It is the data to be accessed by the app, and that app request that they start in the form of scopes, and it is requested in the form of scopes, and there are read contents that will read the data, and there are write scopes which can write the data in the application.
Redirect URL in OAuth2
The server assigns the redirect URL. It helps check in the back line if the application is valid or not, and this URL is generated on the server site, and then the server redirects the user to this URL. So, this is all about redirecting URLs.
Client ID and client secret
It is part of the information we must set up before making one or two applications. These are two unique pieces of information, and we want to store them anywhere.
The server generates the access token, and we can use this access token to request API, request profile information. Also, we can see that it is asking for the profile information, and the server sends it; this is the most important thing, and with its help of it, we can explore the API, or we can request the profile information or user data, in this case, the display picture will show the requested Email ID, date of birth and so on with the help of access token.
First, we must create the client ID and the client secret. It is straightforward:
Comparison of OAuth2 and SAML
As we all know, SAML will support Single sign-on and help authorization by the attribute query route. Whereas OAuth will focus on authorization, even if it is focused on the authentication role, for example, when using social media login like an Instagram account or Facebook account. OAuth will not support Single sign-on (SSO).
When we think formally, SAML will be defined as a token format; the encryption is very complicated, and the size of the messages exchanged is significant. Coming OAuth, it will not use any message encryption; it relies on HTTPS and will not define any token format.
OAuth2 lies in use and flexibility, and it is used in mobile devices, smart devices like smart TVs, web apps, and so on. Many libraries are available to facilitate integration with many client types and service providers. SAML is not designed with these new techniques in mind, making it more challenging to use on these systems. It is mainly used with traditional web apps.
OAuth will also provide access to one service from the other without giving any login credentials, and OAuth will do this to offer us by letting us use our credentials again. If we use our Gmail address for logging into Office.com, then we are using OAuth.
We can also use both SAML and OAuth. The client or user will get a SAML assertion from the IDP and request the Authorization server for granting to the Resource Server. The Authorization server will verify the identity of the user and will pass back an OAuth token in the HTTP header to access the protected resource.