SAML
Single Sign-on (SSO) with SAML
Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions in another context.
This single sign-on (SSO) login standard has significant advantages over logging in using a username/password:
- No need to type in credentials
- No need to remember and renew passwords
- No weak passwords
Most organizations already know the identity of users because they are logged in to their Active Directory domain or intranet.
It makes sense to use this information to log users in to other applications, such as web-based applications, and one of the more elegant ways of doing this is by using SAML.
How SAML Works
SAML is commonly used for enabling SSO between AWS and an identity provider (IdP) or identity federation service.
SAML provides a standard protocol for exchanging authentication and authorization data between the IdP and AWS.
This is done through an exchange of digitally signed XML documents.
SAML 2.0 bindings
SAML requestors and responders communicate by exchanging messages. The mechanism to transport these messages is called a SAML binding.
Two different types of bindings in SAML2:
1. Response Binding - HTTP POST
HTTP POST enables SAML protocol messages to be transmitted within an HTML form by using base64-encoded content.
- It enables SAML requestors and responders to communicate by using an HTTP user agent as an intermediary.
- The agent might be necessary if the communicating entities do not have a direct path of communication.
- The intermediary might also be necessary if the responder requires interaction with a user agent such as an authentication agent.
- HTTP POST is sometimes called Browser POST, particularly when used in single sign-on operations.
- It uses a self-posting form during the establishment and use of a trusted session between an identity provider, a service provider, and a client (browser).