What is SAML ?
SAML - Security Assertion Markup Language
SAML, developed by the Security Services Technical Committee of "Organization for the Advancement of Structured Information Standards" (OASIS), is an XML-based framework for exchanging user authentication, entitlement, and attribute information. SAML is a derivative of XML. The purpose of SAML is to enable Single Sign-On for web applications across various domains.
Why SAML ?
There are four 'drivers' behind the creation of the SAML standard:
Limitations of Browser cookies: Most existing Single-Sign On products use browser cookies to maintain state so that re-authentication is not required. Browser cookies are not transferred between DNS domains. So, if you obtain a cookie from www.abc.com, then that cookie will not be sent in any HTTP messages to www.xyz.com. This could even apply within an organization that has separate DNS domains. Therefore, to solve the Cross-Domain SSO (CDSSO) problem requires the application of different technology. All SSO products solve the CDSSO problem by different techniques.
SSO Interoperability: How products implement SSO and CDSSO are completely proprietary. If you have an organization and you want to perform SSO across different DNS domains within the same organization or you want to perform CDSSO to trading partners, then you will have to use the same SSO product in all the domains.
Web Services: Security within Web Services is still being defined. Most of the focus has been on how to provide confidentiality and authentication/integrity services on an end-to-end basis. The SAML standard provides the means by which authentication and authorization assertions can exchanged between communicating parties.
Federation: The need to simplify identity management across organizational boundaries, allowing users to consolidate many local identities into a single (or at least a reduced set) Federated Identity..." [excerpted from the Security Assertion Markup Language (SAML) 2.0 Technical Overview, Working Draft 01 22-July-2004.]
For Whom ?
SAML will be supported for ORGANIZATION users. An organization administrator can configure the SAML URL and the public key. An user from the organization should login with his/her domain say "https:// .business.zoho.com". The user will be redirected to the IDP provided for SAML with the SAML request for authentication. The IDP will authenticate and send us the SAML response. If the response is success, a ticket will be generated for him and will be set in the cookie.
SAML based Authentication for Zoho
- Register an Organization
- Register a domain (sub domain or a domain itself)
- Register for SAML Authentication.
Login details are provided by your third party provider. The login details includes:
Login URL: All the Organization users will be re-directed for custom authentication.
Logout URL: The URL has to be re-directed when users are signed-out from Zoho services under SSO.
Change password URL: IDP's password reset URL, which will be called when the user tries to reset the password in Zoho.
Public key: Key used to decode the response message sent by the IDP.
Once after setting-up the SAML process with your third party provider, you need to log-in to your portal URL for authentication purpose and later will be re-directed to SAML page.
- Go to your portal URL ( say for example: mail.zoho.com/portal/yourportalname )
- The user who signs up should already have an account in Zoho, for the authentication to be successful.
- Will be redirected to the SAML authentication page
- The Authentication will be done on the IDP
- Then the data will be encrypted and posted back to us
- We will decrypt and find the authenticated user.
- If the user is found in the same organization we will approve and set a ticket for that User.
- If the user is present in a different organization, an error will be shown for the user.