Understanding SAML vs. SSO
Security assertion markup language (SAML) and single sign-on (SSO) are core components of the authentication ecosystem. While similar, these concepts are not the same. Instead, they work in tandem to improve the user experience while simultaneously reducing risk.
In this post, we'll consider common security challenges, break down the basics of SAML vs SSO, dive into key differences, and provide best practices for implementing SAML with SSO and selecting the right authentication approach for your business.
Common Challenges in Application Security
Despite reports of their timely demise, passwords remain prevalent. They're also problematic: The top four passwords in 2023 were "123456", "admin", "12345678", and "123456789". As a result, passwords alone aren't enough to prevent unauthorized access.
If attackers can obtain account names — which are often corporate email addresses or some combination of users' first and last names — they can run down the list of popular passwords. Even a single compromised account is enough to put company data at risk, meaning it's just a matter of time before attackers crack the code.
Beyond passwords, another persistent security problem is multiple logins for multiple applications. Consider that employees use 11 applications on average to complete their day-to-day tasks. If every app requires a separate login, that's 11 chances for attackers to compromise login details and breach company data
SSO and SAML are designed to reduce this risk by creating a streamlined and secure authentication ecosystem.
SAML vs. SSO: What Is SSO?
Definition of Single Sign-On
Single-sign-on is an authentication approach that lets authorized users or employees access multiple applications with a single set of login credentials. Instead of having to re-enter login and password data every time they use another application or service, they can simply open the app and start working.
To accomplish this goal, SSO solutions rely on tokens — encrypted digital markers that act as proof of authentication. When users log out of their accounts or log off the system, these tokens are deleted. In order to access applications or services again, they need to re-authenticate.
Benefits of implementing SSO
SSO increases security by eliminating the need for multiple login requests, each of which carries the risk of compromise. Instead, authentication is handled by a centralized database that verifies user identity and authorizes access to connected applications.
Common use cases of SSO
Google offers the most familiar example of SSO. Once users log into their Google Account they can access multiple services including Gmail, Drive, Sheets, and Google Meet.
SAML vs. SSO: What Is SAML?
Explanation of Security Assertion Markup Language (SAML)
Security assertion markup language is a data exchange protocol based on the extensible markup language (XML) standard. SAML facilitates the secure exchange of login credentials between service providers (SPs) and identity providers (IdPs). Service providers are typically applications or websites. Identity providers are trusted third parties that securely store login data.
How SAML works in the context of authentication
When an employee requests access to an application, the SP sends a SAML request to the IdP. The IdP then returns what is known as a SAML assertion. If login data matches what's on record, the employee is granted access to their requested application, along with access to any other applications or services covered by the IdP.
Advantages of using SAML for identity management
Let's say an HR manager wants to write an email. They also need to update employee information in the HR platform and access the web portal for the company's third-party healthcare provider.
Their first stop is their email account, which asks for their login and password. In this case, their email account is the service provider, which redirects them to a secure login portal. The HR manager enters their details, which are sent via SAML request to the IdP. Once approved, the IdP sends back an assertion, and the HR manager gets access to their email. Because the company's internal HR platform and external health provider app are also connected to the IdP, the HR manager can use both without having to re-enter their password. Simple, secure, and easy.
Key Differences Between SAML and SSO
Different functionalities and purposes of SAML and SSO
While SAML and SSO work together to improve security and streamline access, they are not the same.
SSO is an authentication framework that allows users to sign in once and access multiple applications within an IT environment. SAML, meanwhile, is a transport protocol for sending and receiving authentication data.
As a result, companies can deploy SSO without SAML. If they prefer to keep SSO entirely in-house, they can act as their own IdP and bypass the need for secure data transport. Companies can also implement SSO using other standards such as OpenID Connect (OIDC), OAuth 2.0, JSON Web Tokens, and Kerberos.
Understanding the role of SAML in enabling SSO
SAML enables SSO by expanding the number of available applications. Under a traditional SSO model authentication is domain-based. As a result, users are limited to applications with a specific domain, such as your local intranet. Attempting to access services outside this domain will require re-authentication.
SAML is also an open standard. This means it is free to implement and use and can be customized to meet specific business needs.
Finally, SAML assertions can include useful metadata such as user names and contact information, along with a list of per-app permissions to help ensure the appropriate level of access.
How SAML and SSO complement each other in a secure access management system
Pairing SAML with SSO allows companies to improve security and increase the number of accessible applications. Using SAML allows companies to connect with the IdP of their choice. These IdPs can offer support for hundreds or thousands of applications including local tools, web-based solutions, and cloud-based platforms. So long as the IdP supports the application or service, users do not need to re-authenticate.
Implementing SAML for Seamless SSO
Best practices for integrating SAML into your SSO framework: common challenges and solutions
Session timeouts play a key role in effective SAML adoption. By ensuring that users are logged out if they remain idle for too long, businesses can reduce the risk of unauthorized access, either by other on-site personnel or tied to attackers who manage to access network systems and view user desktops.
SAML improves authentication and access by providing a centralized source of identity management. But not all IdPs are created equal. Companies need IdPs that have a track record for secure storage of authentication data and reliable performance when it comes to SAML requests. In addition, businesses should prioritize IdP partners that support a wide variety of on-site, web, and cloud-based apps and are also willing and able to customize workflows with new applications as needed.
Multi-factor authentication also significantly reduces risk by requiring users to provide additional "factors" to confirm their identity. These factors are divided into three categories: Something users know, something users have, and something users are.
Login and password details are something users know. They're simple to use but difficult to protect; if attackers also know this information, they can impersonate users and gain access.
Physical tokens such as USB keys or one-time digital codes, meanwhile, are something users have. Consider an attacker who has stolen an employee's username and password. When they enter this information, they're prompted for a second factor — a one-time text or email code, or one generated by a secure app. Without this code, they cannot gain access.
Companies can further increase security with the use of biometric factors — something users are. These factors may include fingerprints, facial scans, or voice recognition.
Choosing the Right Authentication Approach
Pros and cons of SSO as a process
SSO streamlines the authentication process, but it can open your company to increased risk if sign-on sessions aren't paired with MFA and session timeouts.
Pros and cons of SAML as a protocol
SAML, meanwhile, increases the number and type of applications available for SSO but also increases your total attack surface.
Considerations for selecting the most suitable authentication method for your organization
Companies must carefully consider their authentication approach before implementing a solution. For example, companies that primarily use in-house applications and store most of their data on-site may be best served by SSO solutions that don't leverage SAML. Organizations that use a combination of local, web, and cloud-based services can benefit from the additional context provided by SAML requests and responses.
SSO and SAML both play a role in the authentication ecosystem. While SSO can be implemented on its own, these solutions work best in tandem. By providing a single-sign-on environment, companies can reduce the time users spend switching applications and entering login details. And by expanding this environment with SAML, businesses can increase the number of apps available to authorized users without compromising data security.
Ready to get started with SSO? Start your LastPass trial here.
FAQ
What is the difference between SSO and SAML and SCIM?
SSO (Single Sign-On) uses protocols like SAML to authenticate users.
Essentially, SAML is a standardized way to exchange authentication and authorization data between IdPs (Identity Providers) and SPs (Service Providers).
Meanwhile, SCIM stands for System for Cross-Domain Identity Management. It’s a protocol for seamlessly exchanging identity information between an IdP (Identity Provider) or IAM (identity & access management) system and cloud-based apps. SCIM enables the automation of:
- User provisioning and deprovisioning
- Group provisioning
- Access privilege monitoring
- Data synchronization between systems
What are the disadvantages of SAML?
The disadvantages of SAML include:
- SAML is based on XML and is harder to parse than modern data formats like JSON. This makes implementation more challenging.
- Unlike OAuth 2.0, SAML has limited functionality in a mobile-first environment.
- SAML relies on XML digital signatures, which leaves it vulnerable to a security vulnerability like XML Signature Wrapping (XSW). This is where attackers make unauthorized changes to signed messages without invalidating the original signature.
Are SSO and SSL the same?
No, SSO and SSL aren’t the same. SSO facilitates Single Sign-On (SSO), allowing users to authenticate with just a single set of credentials.
Meanwhile, SSL is a security protocol that encrypts data transmitted between a server and web browser. SSL has been succeeded by TLS, so you’ll often see it referenced as SSL/TLS.
Both SSO and SSL serve different purposes. For example, SSL/TLS may be used to encrypt communications between IdPs (Identity Provider), users, and applications.
Does SSO use SAML or OAuth?
SSO can use either SAML or OAuth.
SAML is commonly used to implement SSO in enterprise environments, while OAuth 2.0 is used to facilitate SSO through social media platforms like Google and Facebook.
Can SAML be used for API authentication?
SAML isn’t generally used for API authentication. It’s primarily designed for web browser-based SSO scenarios. The protocol of choice to facilitate API authentication is OAuth 2.0, which issues access tokens to enable secure communications between clients and APIs.
