Understanding SAML 2.0 for CISSP Exam

Manoj Sharma CISSP | CCSP | CISM | CRISC | PCI-DSS | ISMS | DCPP | GDPR Practioner Author

SAML enables SSO capability between systems over the web-based scenarios where a user accesses applications or services via web browsers.

CISSP Domain-5 Understanding SAML for CISSP Certification

Why we need SSO?

Typically, an employee has to use 20 different services on an average while at work. From a secure perspective, all these services must authenticate the user before providing access to the service. However, maintaining separate credentials for all these services and applications can be a humongous task for the employee and they tend to write down these credentials somewhere in order not to forget.

Our CISSP exam training helps to enhance cybersecurity expertise and pass the CISSP Exam in the First attempt. It covers various topics like security operations, architecture and engineering, asset security, identity and access management IAM and more.

The Core concept of Single-Sign-On (SSO)

As an industry wide solution, companies often implement Single-Sign-On (SSO) to meet this challenge. SSO has great benefits for both end users and the administrators and reduces risk for the entire organisation. Instead of user maintaining 20 different credentials, the user can instead maintain one credential with strong password. User has to authenticate one to the central Authentication service like Active Directory, and whenever he/she needs to access any service, the service will get authenticated by the central authentication service, which is transparent of the user. This topic is highly testable in the CISSP certification online exam. To keep you informed, the CISSP computer-based testing exam is again reduced to 3 hours effective April 15, 2024.

Security Assertion Markup Language (SAML)

SAML is an open XML-based standard for enabling authentication and authorization between the Identity Provider (IdP) and the Service Provider (SP).

Before we dive deeper, let’s understand few important terms in SAML:

SAML Key Components

Identity Provider (IdP)

The central service in your organization dedicated for authenticating and authorizing the resources. E.g. Active directory

Service Provider (SP): any application or service required by the user and dependent on the IDP for authentication and authorization services. It is also sometimes called as relying party (RP)

The Subject

It refers to the end user willing to use certain service within a domain.

How SAML Works:

While you go through this article for your CISSP notes making, if you need a video explanation, you can refer the video below to see how SAML operates.

1. Users request access to a service provider (SP) application.

2. SAML Request: The SP detects that the user is not authenticated and sends an SAML authentication request to the User browser (transparent of the user)

3. User browser redirects the request to identity provider (IdP).

4. The IdP prompts the user to authenticate by providing a username and password, or by other means such as multi-factor authentication (if user is not authenticated already)

5. SAML Response: Once authenticated, the IdP generates an SAML assertion (digitally signed token) that contains information about the user's identity and attributes and sends back to the user browse

6. User browser forwards IdP provided SAML assertion to the SP

7. The SP verifies the digital signature on the SAML assertion and checks that it is issued by a trusted IdP. The SP also checks that the user has the necessary permissions to access the requested resource.

8. If the SAML assertion is valid and the user is authorized, the SP grants access to the requested resource.

SAML Assertions

SAML Assertions are XML-formatted statements exchanged between the IdP and SP that contain information about a user's authentication and authorization. When an assertion is sent from IdP to the SP, they are digitally signed and encrypted. This IdP digital Signatures provides assurance to the SP, that the assertion is actually coming from the IdP.

Types of assertions:

• Authentication Assertions: Contains parameters related to authentication.
• Attribute Assertions: Contains user information like name, role, email, group membership etc.
• Authorization Decision Assertions: Contains information on what the user is allowed to access.

SAML Bindings

Bindings are basically rules which dictate how the SAML messages are formatted, encoded, and transported between entities during an SAML authentication.

Few most common SAML bindings are as below:

HTTP POST binding: SAML messages are transmitted within the body of the request using the HTTP POST method.

HTTP Redirect binding: SAML messages are embedded and transmitted within the URL query parameters through the HTTP GET method.

SOAP binding: SAML messages are encapsulated (packed) within Simple Object Access Protocol (SOAP) for communications through SOAP API.

Artifact binding: Instead of directly transmitted SAML messages, the method exchange identifiers (reference). These artifacts are then used by the other party to fetch the SAML messages.

Security recommendations for SAML based SSO.

Configuring of SAML plays the most important part in security. Any misconfiguration may lead to undesired circumstances.

Few short and crisp considerations are listed below:

• Ensure SAML Configuration is tightly configured to validate the SAML messages, robust encryption, and proper assertion handling.
• Use HTTPS to prevent any Man-in-the-Middle (MitM) attacks.
• Ensure Assertions are encrypted to prevent any tempering during the authentication process.
• Ensure the IdP is fortified, else attackers can compromise the IdP and compromise the SPs.
  
  

Conclusion

SAML 2.0 is like a workhorse for most of the SSO implementation in companies. However, every good thing comes with some overhead. As SAML is based on XML standard and as and when an authentication is initiated, the data and attributes need to be converted in XML format which is called as parsing. This can lead to processing overhead and slow down the entire authentication process. SAML has been there in picture for decades and will still remain as the mainstream SSO protocol, however there are new players in market like OAuth and OpenID connect which are much more lightweight and are being preferred by organizations across the globe. If you need to test your knowledge, you can attend our CISSP mock test series hosted on Udemy. The mock test is designed to test you on Scenario based questions and helps you determine which areas you need to focus more.

SAML 2.0 will still keep growing and keep serving the IAM community. We keep hosting such interesting articles and if you are interested to nail CISSP in 100 Days, do not miss out on the world First end-to-end CISSP training with CISSP Success Toolkit.

Categories: CISSP