What is SAML authentication?
SAML is an open standard for exchanging authorization and authentication information. It is a type of SSO standard that lets you access multiple applications with a single set of credentials. By centralizing identity management and reducing password fatigue, SAML greatly enhances organization security.
Best practices for SAML security
Here are some of the best practices that ensure sensitive information within the SAML assertion is transmitted securely.
- Validate message confidentiality and usage: Refrain from using SSL v2, SSL v3, and TLS v1 protocols. Implement the TLS 1.2 protocol to guarantee message confidentiality and integrity at the transport layer. It will help ward off attacks like:
- Eavesdropping
- Phishing
- Credential theft
- Token theft
- Message deletion
- Message modification
- Manipulator-in-the-middle
- Enforce additional countermeasures:
- IP Filtering to counter:
- OneTimeUse on the SAML Response to counter:
- Browser state exposure
- Replay attacks
Identity provider (IdP) considerations
Note: Validate X.509 Certificate for export restrictions, algorithm compatibility, and encryption strength.
Service provider (SP) considerations
- Ensure SAML messages are encrypted and signed using strong cryptographic algorithms.
- Validate the following:
- Digital signatures to verify the sender's authenticity.
- IdP's digital certificates to ensure they are not expired or revoked.
- Session timeouts and secure session cookies for user.
- Transmit SAML messages over secure channels like HTTPS to prevent eavesdropping and man-in-the-middle attacks.
- Implement granular access control policies based on user attributes and roles extracted from SAML assertions.
ADSelfService Plus considerations
ADSelfService Plus, an identity security solution, can act both as an IdP and SP. The first step is updating the ADSelfService Plus instance to the latest version to ensure you have the smoothest experience. Other practices you can do are listed below.
- Implement TLS 1.2: Configuring the TLS 1.2 protocol secures the transport layer. Follow the steps below to set it up.
- Log into the ADSelfService Plus admin portal.
- Navigate to the Admin tab > Product Settings > Connection > Connection Settings.
- Click Advanced Settings. More settings will appear.
- Select TLSv1.2 from the TLS Versions drop-down.
- It is recommended that you select these three cypher suites from the drop-down:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- Click Save and restart the product to apply the changes.
- Set up a proxy: If ADSelfService Plus is configured as an SP, it is recommended that you set up a proxy server. Follow the steps below to configure a proxy.
- Log into the ADSelfService Plus admin portal.
- Navigate to the Admin tab > Product Settings > Connection > Proxy Settings.
- Select the Enable Proxy Server check-box.
- Provide the server name or IP address, username, and password for authentication.
- Click Save.
Protect your enterprise resources with SAML SSO using ADSelfService Plus
People also ask
What is the difference between SSO and SAML?
In simple terms, SSO is a broader concept that refers to the ability to log into multiple applications with a single set of credentials, while SAML is a specific protocol that enables SSO.
Which is better, SAML or OAuth?
Choosing between SAML, an authentication protocol, and OAuth, an authorization protocol, comes down to your specific requirements. If you're looking for enterprise-level SSO to access multiple web applications, choose SAML. To integrate with third-party applications without exposing your credentials, choose OAuth.
