Authentication is a process that deals with verifying that a user is who they claim to be. This usually starts with a user submitting a username and password to gain access to a web-based service. Each time a user attempts to interact with a service, a session is opened that is maintained on the server by a session identifier and passed back between the client and server to transmit and receive requests.
To better manage and implement authentication login standards, services can be used to enhance these processes for ease of use and functionality. So, the two we will focus on in this post are SAML and SCIM.
SAML
SAML stands for Security Assertion Markup Language. This allows single sign-on (SSO) via browser across various web systems. Shortly, it is a standard for authentication and access of data between security domains. SAML requests involve three main actors. To begin with, there is the end-user known as the principal that wants to use web-based services. After that, there is the Identity provider that provides proof of a user’s identity. Lastly, there is the Service Provider that is the web-based service the user is trying to access. (Chapple, 2018).
The interactions between the three main actors are as follows:
- The user requests access to the service provider
- The service provider checks to see if the user already exists in their system. If they do, they will grant them access.
- If they don’t the service provider will redirect the user to the SSO service of the identity provider.
- The user will then authenticate with the identity provider
- The identity provider gives an XHTML response to the user for the service provider
- The user requests a security assertion from the service providers that gives proof of identity
- The service provider validates the request and creates a security contact with the service and sends it to the user
- As well as, the user requests the desired service and gets a response of granted access from the service provider
(Chapple, 2018)
SCIM
SCIM stands for System for Cross-domain Identity Management. This is a HTTP protocol on the application layer. Also, it provides ease of use in managing user identities and groups in cloud-based applications and services. To clarify, SCIM supports CRUD and uses JSON payloads for messages to pass request and response parameters. It also leverages REST. (Jayawickrama, 2017).
SCIM 2.0 is based on an object model. In this model, the Resource is the common denominator and all other SCIM objects are derived from it.
From SCIM 2.0 version Object Model (Jayawickrama, 2017).
SCIM can be used for communication between internal servers via SCIM Gateways, directory access with read/write capabilities, expose Identity information, read/write external systems and more. With SCIM, user accounts can be provisioned, passwords can be reset, security tokens can be managed, users can be added to groups with different permissions, user and group data can be read and more. (Grizzle, 2015).
In conclusion, the information provided in this post just touches on the surface for SAML and SCIM and gives a non-technical user an overview understanding of what they are. However, we urge you to dive deeper by accessing the references below and letting us know how you’ve used SAML and SCIM in your projects.