Last week, SAML 2.0 turned 10 years old and since inception, SaaS providers grabbed a hold of it and they have not looked back. As you may know, SAML (Security Assertion Markup Language) is the protocol that enables hundreds of millions of business users around the world to securely and conveniently access their apps without the need for a password or a pesky VPN for access into their corporate network. It helps independent software vendors to access a broader user audience by hooking their services to their customers’ user directories through identity access management (IAM) providers like OneLogin. Most importantly, it makes it incredibly easy for businesses to securely adopt flexible and resource-efficient cloud apps.
So what is it? It’s an open standard based on XML (Extensible Markup Language) that’s used for exchanging authentication and authorization data between identity providers (IdPs) and SaaS providers. Back in January, OneLogin CEO Thomas Pedersen gave us a quick background on why SAML adoption was key to our customers’ and partners’ success.
For about 6 years now, OneLogin has been at the forefront of the widespread and continued adoption of SAML. The reasons for this are many but they are all founded on a belief in open standards. The idea of companies using proprietary protocols for something as fundamental as user authentication and authorization simply does not scale. The sheer quantity and speed of innovation happening in the world of business apps and services has created an ever-growing opportunity for interoperability, and those that work together are successfully creating the best possible experience for enterprise customers.
One of the ways OneLogin has been at the forefront of this growth is by developing open-sourced SAML toolkits for five different web development platforms and these resources have been downloaded by hundreds of thousands of developers to date:
- ASP/.NET SAML Toolkit
- Java SAML Toolkit
- PHP SAML Toolkit
- Python SAML Toolkit
- Ruby SAML Toolkit
Beyond toolkit resources for application developers, OneLogin also provides utilities within our SaaS offering to help bridge the gap between our IAM services and the customer’s own applications. Traditionally, configuring SAML identity federation requires a manual effort of logging into each system separately and providing each with the right parameters. OneLogin now provides IT and internal apps engineers the ability to set up this trust with a single click which eliminates substantial time and complexity.
Many were concerned at the outset about the security of SAML since it was starting to be used to transact such sensitive information, and, after all, Only the Paranoid Survive. SAML specs mandate the use of security mechanisms like XML Signature and XML Encryption. Also, using strong multi-factor authentication such as our mobile OTP app, or technologies from any of the various technology partners we support, allows you to add an additional layer of security. Read more about our long standing security perspective on SAML in this blog post in Cloud Security Alliance.
While SAML has become the de facto standard for web app authentication, there is a whole new generation becoming increasingly relevant. Standards like SCIM and NAPPS come to mind. SCIM enables much of the same functionality as that of SAML but is based on REST and JSON, not XML. NAPPS is enabling IAM support for native apps on the mobile device. So given that at age 10, SAML has had tremendous impact on how we interact with our browser-based apps, we have an exciting future ahead of us with native mobile. Every time you enjoy fast and completely transparent access to your business-critical browser apps, you can thank SAML. We’ll see what the future holds for SCIM and NAPPS as they set off on their own journeys.
Happy 10th Birthday, SAML 2.0!