Teleport Workload Identity with SPIFFE: Achieving Zero Trust in Modern Infrastructure
May 23
Virtual
Register Today
Support
LOG IN
Teleport logoTry For Free
Contact SalesTry for Free
Support
LOG IN
Home > Teleport Academy > Authentication and Privileges

What Is SAML (Security Assertion Markup Language)?

Posted 24th Feb 2023 by Kenny DuMez
What is Secretless (Passwordless) Authentication?
What are Access Requests?
What is Authorization?
What are Ephemeral Privileges?
What is Just-In-Time (JIT) access?
Principle of Least Privilege: What It Is & How to Implement It
What is RBAC?
Configure RBAC for Kubernetes EKS
RBAC for Google Cloud Kubernetes Engine (GCP GKE)
What is ABAC?
What is MAC (Mandatory Access Control)?
What is OAuth 2.0 (Open Authorization)?
What is FIDO (Fast IDentity Online)?
What is U2F (Universal 2nd Factor)?
What is WebAuthn?
What is OIDC (Open ID Connect)?
What Is SAML (Security Assertion Markup Language)?
The Failures of Shared Secrets and How We Can Replace Them
How to Configure Single Sign-On (SSO) for Accessing AWS EKS Clusters
Just-in-Time Access for Amazon EKS
Authenticating GCP GKE with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with GitHub SSO
Authenticating Azure AKS Kubernetes Clusters with GitHub SSO
Authenticating Google Kubernetes Engine Clusters with Okta SSO
Authenticating AWS EKS Kubernetes Clusters with Okta SSO
Authenticating Azure AKS Kubernetes Clusters with Okta SSO
Configuring Okta as an Identity Provider for Kubernetes Clusters
Azure AKS RBAC

What is Security Assertion Markup Language (SAML)?

Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between parties, and in particular, between an identity provider (IdP) and a service provider (SP). The Identity Provider will verify the identity of the user, verifying they are who they say they are. Think Okta, or Microsoft Active Directory. The service provider, once identity is validated, will then provide the user access to whatever services they need. Salesforce, for example, is a service provider.

In simpler terms, SAML enables users to log in to multiple applications, services, or websites using a single set of credentials, such as a username and password (often in addition to a second factor of authentication like biometrics or YubiKeys), by sharing authentication information across different platforms.

SAML establishes a trust relationship between the user, the identity provider and the service provider. The IdP authenticates the user and generates an assertion, which is sent to the SP. The assertion contains information about the user's identity and authentication status, which the SP uses to determine whether to grant access to the requested resource. SAML is widely used in web-based applications, including single sign-on (SSO) and federated identity management (FIM) systems.

SAML compared to older authentication models

SAML offers several benefits compared to other authentication models, such as standalone username and password authentication. Some of the benefits of SAML include:

  • Enhanced security: SAML provides a higher level of security by enabling the IdP to authenticate the user and generate an assertion that is cryptographically signed and can be verified by the SP. This ensures that the user's identity and authentication status cannot be tampered with or impersonated.
  • Simplified authentication: SAML enables users to log in to multiple applications and services using a single set of credentials, which eliminates the need for users to remember multiple usernames and passwords. This not only simplifies the authentication process but also reduces the risk of password reuse and associated security breaches.
  • Reduced administrative overhead: SAML eliminates the need for each application and service to maintain its own user database and authentication system. This reduces the administrative overhead and enables IT departments to manage user identities and access policies in a centralized manner.
  • Federated identity management: SAML enables organizations to share user identities and access policies across different domains and platforms. This facilitates the creation of a federated identity management system, which enables users to access resources across different organizations without the need for separate accounts or logins.

Why should you implement SAML in your organization?

If your company is concerned with secure user authentication, you should really consider implementing some form of SAML in your infrastructure access flow. Some of the benefits to your organization include:

  • Enhanced security: SAML provides a higher level of security by enabling organizations to centralize the management of user identities and access policies. This reduces the risk of security breaches and associated costs, such as lost revenue and reputational damage.
  • Compliance with regulatory requirements: SAML enables organizations to comply with regulatory requirements, such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA), by providing a secure and auditable way of managing user identities and access policies.
  • Improved productivity: SAML reduces the administrative overhead of managing user identities and access policies by centralizing these tasks. This enables your IT department to focus on what matters and allows your engineers to be more productive. SAML actually streamlines authentication workflows instead of bloating them with multiple annoying verification steps.

All in all, SAML is a powerful tool for improving the security, usability and manageability of web-based applications and services. It enables organizations to centralize the management of user identities and access policies, simplifies the authentication process for users, and reduces the administrative overhead of managing multiple user password databases for each of their applications.

For more discussion on SAML check out our blog post going into more technical detail on the inner workings of the standard. Also learn how Teleport can help your organization implement SAML and OIDC for all of your infrastructure resources including Kubernetes clusters, databases, SSH hosts and even Windows boxes!

What is Secretless (Passwordless) Authentication?
What are Access Requests?
What is Authorization?
What are Ephemeral Privileges?
What is Just-In-Time (JIT) access?
Principle of Least Privilege: What It Is & How to Implement It
What is RBAC?
Configure RBAC for Kubernetes EKS
RBAC for Google Cloud Kubernetes Engine (GCP GKE)
What is ABAC?
What is MAC (Mandatory Access Control)?
What is OAuth 2.0 (Open Authorization)?
What is FIDO (Fast IDentity Online)?
What is U2F (Universal 2nd Factor)?
What is WebAuthn?
What is OIDC (Open ID Connect)?
What Is SAML (Security Assertion Markup Language)?
The Failures of Shared Secrets and How We Can Replace Them
How to Configure Single Sign-On (SSO) for Accessing AWS EKS Clusters
Just-in-Time Access for Amazon EKS
Authenticating GCP GKE with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with GitHub SSO
Authenticating Azure AKS Kubernetes Clusters with GitHub SSO
Authenticating Google Kubernetes Engine Clusters with Okta SSO
Authenticating AWS EKS Kubernetes Clusters with Okta SSO
Authenticating Azure AKS Kubernetes Clusters with Okta SSO
Configuring Okta as an Identity Provider for Kubernetes Clusters
Azure AKS RBAC

Table of Contents

Background image

Teleport Enterprise

Protect your infrastructure with essential security & compliance capabilities