Authentication is a process that deals with verifying that a user is who they claim to be. This usually starts with a user submitting a username and password to gain access to a web-based service. Each time a user attempts to interact with a service, a session is opened that is maintained on the server by a session identifier and passed back between the client and server to transmit and receive requests.
To better manage and implement authentication login standards, services can be used to enhance these processes for ease of use and functionality. The two we will focus on in this post are SAML and SCIM.
SAML stands for Security Assertion Markup Language. SAML allows single sign-on (SSO) via browser across various web systems. It is a standard for authentication and access of data between security domains. SAML requests involve three main actors. First there is the end-user known as the principal that wants to use web-based services. Second there is the Identity provider that provides proof of a user’s identity. Lastly, there is the Service Provider that is the web-based service the user is trying to access. (Chapple, 2018).
The interactions between the three main actors are as follows:
- The user requests access to the service provider
- The service provider checks to see if the user already exists in their system. If they do, they will grant them access.
- If they don’t the service provider will redirect the user to the SSO service of the identity provider.
- The user will then authenticate with the identity provider
- The identity provider gives an XHTML response to the user for the service provider
- The user requests a security assertion from the service providers that gives proof of identity
- The service provider validates the request and creates a security contact with the service and sends it to the user
- The user requests the desired service and gets a response of granted access from the service provider
SCIM stands for System for Cross-domain Identity Management. SCIM is a HTTP protocol on the application layer. SCIM provides ease of use in managing user identities and groups in cloud-based applications and services. SCIM supports CRUD and uses JSON payloads for messages to pass request and response parameters. It also leverages REST. (Jayawickrama, 2017).
SCIM 2.0 is based on an object model. In this model, the Resource is the common denominator and all other SCIM objects are derived from it.
SCIM 2.0 version Object Model (Jayawickrama, 2017).
SCIM can be used for communication between internal servers via SCIM Gateways, directory access with read/write capabilities, expose Identity information, read/write external systems and more. With SCIM, user accounts can be provisioned, passwords can be reset, security tokens can be managed, users can be added to groups with different permissions, user and group data can be read and more. (Grizzle, 2015).
The information provided in this post just touches on the surface for SAML and SCIM and gives a non-technical user an overview understanding of what they are. However, we urge you to dive deeper by accessing the references below and letting us know how you’ve used SAML and SCIM in your projects.
Chapple, M. (2018, June 08). CySA Cert Prep: 5 Identity and Access Management. Retrieved August 10, 2018, from Web Link
Grizzle, K. (2015, June 16). SCIM in the Real World: Adoption is Growing. Retrieved August 23, 2018, from Web Link
Jayawickrama, H. S. (2017, June 27). SCIM – System for Cross-Domain Identity Management. Retrieved August 16, 2018, from Web Link
SAML 2.0. (2018, August 15). Retrieved August 13, 2018, from Web Link
Offenhartz, J. (2017, May 29). What is SCIM? Retrieved August 14, 2018, from Web Link