SAML 101: How it works
Posted by Bart Hendrickx
In my last post, I wrote about what SAML is. In this one, I’ll offer a use case to put it into context. There are a number of scenarios where SAML can be used, but I will stick to login (authentication) that is initiated by the service provider. I’ll use Questionmark OnDemand as an example of a SP that can work with SAML. Our fictitious customer has an identity provider that is internally hosted behind a firewall, inaccessible from the outside world. Users at the customer’s company can go on the Internet; therefore, they can also take Questionmark OnDemand assessments.
User Jane Doe wants to connect to Questionmark OnDemand, to take an assessment that was scheduled to her. She browses to her company’s OnDemand area, which had been set up to authenticate via SAML. Through the federation metadata, Questionmark OnDemand knows which identity provider to ask for those authentication details. But it cannot talk to the IdP directly. Instead, it creates a SAML request which the web browser passes on to the IdP. Jane Doe’s computer is on the internal network and can access the IdP. The request is forwarded to the IdP, which accepts it because it knows about the service provider (SP), i.e. the customer’s OnDemand area—also possible thanks to the federation metadata.
Jane Doe is already logged on to the IdP: she opened her company’s intranet page this morning, which required her to authenticate, and that session is still active in her browser. So when the IdP gets a request: “Who is this user?”, it already knows the answer: “This is Jane Doe.” The IdP prepares a SAML response and includes a number of attributes, such as Jane Doe’s email address and hire date. All those data form an assertion, which is part of the response.
Again, Jane Doe’s browser plays a key role. It receives the SAML response with the assertion from the IdP and passes it on to the customer’s OnDemand area, which then reads the response. The OnDemand area confirms that this information comes from its trusted IdP and sees that this is Jane Doe. and that an assessment has been scheduled to her. Jane Doe now has access to the OnDemand area and can take the assessment.
For Jane Doe, this all happens seamlessly. She may see her browser redirect to other URLs a few times, when it is relaying information from the SP to the IdP and vice versa, but the entire process usually only takes a couple of seconds.
In a future post, I will explain what SAML requests and responses do and do not contain. Stay tuned!