A must-have for authentication management, SAML – Security Assertion Markup Language – is the most commonly used IT standard in the identity federation software market.
At SharingCloud, we rely on this secure standard to federate authentication for the vast majority of our customers on our Instant Suite platform.
Let's find out in more detail what this is all about.
SAML, authentication facilitator
Security Assertion Markup Language, more commonly known as SAML, is a normed, open and standardised protocol used, through multiple identity federation software applications, to establish a connection between two essential building blocks of authentication federation, namely:
- The Identity Provider (IdP) (client side)
- The Service Provider (SP) (Instant Suite side)
The main benefit of federating identity through SAML is to allow the Service Provider to delegate the authentication part to the Identity Provider and thus to offer the client a single authentication portal specific to their organisation.
Thus, SAML offers single sign-on (often called SSO) for services that the customer uses on a daily basis. Indeed, SAML authentication is an SSO for a client's various tools, but also for the different SharingCloud services.
How does it work in practice?
To understand how SAML works, you have to keep in mind that 3 major actors are involved in the authentication process: the Identity Provider, the Service Provider and the User.
Indeed, the user plays a major role in this approach. It is the user who, through their browser, links the information on both sides using secure tokens. There is therefore no direct dialogue between the IdP and the SP but rather encrypted requests and responses, validated by certification, which are relayed by the user's browser.
To better clarify this concept, below is an explanatory diagram of the various steps involved in authenticating and identifying a user on Instant Suite using SAML.
Step 1: The user attempts to access Instant Suite (Service Provider) or one of its applications via a URL.
Step 2: Instant Suite (SP) generates a SAML authentication request in the form of an encrypted message, embedded in the partner's authentication service URL.
Step 3: Instant Suite sends the authentication URL containing the request to the browser. The browser forwards it to the Identity Provider, the partner.
Step 4: Once the URL is received, the Partner (IdP) decodes the SAML request and authenticates the user.
Step 5: The partner then generates an encoded SAML response, containing all the information relating to the creation of a user session/identification, such as the user's number, surname, first name or e-mail address. It returns the response to the browser, which in turn transfers it to Instant Booking's ACS service.
Step 6: The ACS service (a standard with a return URL for sending information processing) checks and validates the SAML response, then redirects it to the original URL.
Step 7: The user is now logged in to Instant Suite!
If the user does not exist in the SP's account management, it must be provisioned. Instant Suite can do this automatically, by creating user accounts during the authentication process. This is performed according to the clients' needs using the information contained in the encrypted response sent by the IdP.
Furthermore, if the SSO connection is set up and activated, authentication is automatic and secure!
Prerequisites for SAML implementation
A specific configuration is required upstream in order to implement SAML within the different organisations. As it is normalised and standardised, SAML is governed by the creation of a federation.
To create the federation, two essential points must be taken into account:
- The definition of attributes such as last name, first name, email, personnel number, etc. that can be exchanged between the IdP and the SP.
- Exchange of certificates between the IdP and the SP. Indeed, each must provide a certificate to its counterpart to enable information exchanges. This certificate is subject to expiry (annual for most clients).
Updating the client certificate on our infrastructures, which originally required synchronisation between technical contacts, is now possible simply and automatically, thanks to developments carried out by our R&D and Infrastructure teams.
This automatic update ensures that the service is not interrupted when the original certificate expires.
This federation and certificate mechanism is common to all tools that use SAML.
Benefits for all stakeholders
- For the end user: No more need for passwords! SAML allows the user to authenticate themself automatically via a known and controlled identity management system that is specific to their organisation. They can access all applications governed by SAML seamlessly, with no need to re-authenticate between each application.
- For the partner administrator (IdP): the protocol is simple to implement. It simply requires the creation of a unique identifier for the user, which can be deployed and communicated to each SP when identifying and authenticating them on a platform or application.
Moreover, SAML considerably limits security system breaches (in this case phishing or hacking…) because passwords and other sensitive data are never disclosed. Indeed, the user is authenticated exclusively by means of encrypted messages.
- For the SharingCloud (SP) Instant Suite solution: SAML facilitates access and use of all our Instant Suite services. It allows the deployment of applications in a fast and secure manner.
In other words, the encrypted data transmitted by the IdP are a goldmine for understanding our users and better targeting their needs.
SAML at a glance
Federation through the SAML standard is:
- A standardised and secure protocol
- The most common IT standard on the market and therefore known and mastered by administrators
- An extremely simplified procedure for all stakeholders
- The proposal of a simple and fast authentication path, as it is known by the users/employees
In the context of a partnership with Microsoft, SharingCloud offers an application on the Azure Cloud for the integration of SAML into your organisations. This is a very simple and effective way to set up authentication to our Instant Suite solution via Azure AD.
Dear Customer, please do not hesitate to contact your Key Account Manager or our Support if you wish to implement a federation with your IdP.
Finally, two links that might be useful to you:
- The documentation on the procedure for setting up SAML via Microsoft: https://docs.microsoft.com/fr-fr/azure/active-directory/saas-apps/sharingcloud-tutorial
- The application: https://azuremarketplace.microsoft.com/fr-FR/marketplace/apps/aad.sharingcloud?tab=overview