SAML |
|
Security Assertion Markup Language (SAML) is a standard, XML-based framework for creating and exchanging security information. It means that information about the identity of a user can be exchanged between Process Platform and other software systems that support the SAML standards. When using SAML, if a protected Web service operation is called, a client must provide valid assertions on the identity of the user before access is allowed. The client can get assertions by verifying credentials with a special Web service operation of Single Sign-On. The client must send these assertions within each SOAP request to gain access. The receiving service group verifies and validates the assertions. When the assertions are valid, and the user has proper authorization, access is allowed.
There are two uses cases for SAML:
- Web Single Sign-on
- Authentication on service level (also known as system to system authentication)
Web Single Sign-on improves security and user experience when there are several components integrated and the user has to authenticate all of them. The use of an external Identity Provider will help users to provide their user credentials only once for all the systems instead of providing them each and every time for every system. When using SAML for Web SSO, all the communication is done through the browser as described in the SAML 2 specification.
With system to system authentication, SAML assertions are passed as part of the SOAP header as described in WS-Security SAML Token Profile document of Oasis.
When an external Identity Provider (IDP) provides SAML assertion for a user, the SAML assertion is signed with the certificate of the external IDP. While sending a SOAP request to Process Platform, the SAML assertion is placed in the SOAP Header. You can add these certificates to the trust store using Security Administration task. For information on adding certificates, refer to Managing SAML Trust and Managing Certificates.
Process Platform implements the following SAML 2.0 specific points:
- WS-Services SAML Token Profile to send SAML assertions as part of the SOAP header. This specifically is used in system to system integrations. See Managing SAML Trust for configuring trust with a SAML 2 assertion provider.
- Clearly separates the IDP from the Service Provider (SP).
- Provides the SAML 2.0 configuration in the form of a metadata which you can use to exchange the configurations between IDPs and SP. You need to import the metadata during Authenticator Configuration on Security Administration. For more details about SAML 2.0 compliant IDP authenticator, see topic Configuring SAML 2.0 Authenticator and SAML 2.0 Variables.
- Single logout (SLO) functionality that terminates the user session.
- SP can initiate a Web Single Sign-on check to confirm authentication.
Note: Process Platform is SAML 2.0 compliant only as an SP and will validate SAML 2.0 assertions by other IDPs. It will not generate SAML 2.0 assertions and therefore cannot function as an IDP. The SAML 2.0 assertion is not used internally in Process Platform. It is used only to authenticate the user and once that is done, Process Platform generates an internal SAML authentication token, which is further used in the users session.
Benefits
The following are the benefits of using SAML protocol for authentication:
- Single repository for User information - if you do not want to maintain the same user information at multiple sources. Maintaining a single repository for user information avoids inconsistency of user information and reduces the risk to privacy threats.
- Reduction in administrative overheads - Administrators can configure to have all their related sites or applications to rely on just a single Identity Provider (IDP), reducing the maintenance overhead.
- Better experience for users - Seamless integration of applications which rely on single identify provider gives a single sign-on experience for the users. In addition, identity federation (linking of multiple identities) with SAML allows for a better-customized user experience at each service while promoting privacy.
- Decoupling security from application development logic - SAML abstracts the security framework from software development and hence the security aspect can be later customized or even changed as per requirements. This decoupled approach helps also to reduce maintenance costs.
Advantages of having SSO based on SAML
- Improved security - Process Platform offers a more secure framework for handling service requests.
- Increased interoperability - Process Platform is compliant to the latest security standards such as SAML, WS-Security, XML Encryption, and so on.
- Anonymous login - People and systems that use Web Services in Process Platform can securely access these services based on SAML credentials without repeated authentication. This makes Process Platform more suitable for end users that for instance use a Web site that implements Process Platform services under the hood, because they do not have to be registered in LDAP.
- Single instance authentication - Process Platform does not require sender identification of each message that passes the Web Gateway. Identification is handled once, after which access is controlled through security tokens.
Related information
If your Process Platform application works in a portal and authenticates users against an external IDP, then the authentication token of this external IDP is used to validate the user in Process Platform. This Validation is done in a Process Platform SSO service container plugin. The SSO service container validates the user and the authentication token against the external IDP. If they are valid, it returns a set of SAML Assertions. Therefore, the Process Platform SSO service container generates SAML assertions.
If your application is not on a Portal and you wish to authenticate against an external IDP, then you can create a custom authentication plugin. When the user provides credentials, it is sent to the Process Platform SSO service container. Usually, the SSO service container will validate the credentials against the Process Platform repository (LDAP), but in this case a custom SSO plugin is used. This plugin authenticates against the external IDP and after authentication returns a set of SAML assertions. These assertions are used in subsequent calls to Process Platform. For more information on creating authentication plugins, refer to Authentication Plugins.