The spate of recent cyber-attacks by hackers on different organizations such as the solar wind supply chain had affected the US government agencies and other organizations, leading to crucial findings of the method that compromised the systems.
Microsoft analyzed the attacks and found out that one of the methods was the Security Assertion Markup Language (SAML) through which the attack happened.
The attackers inserted a malicious code in SolarWinds company infrastructure monitoring and management software that gave them a foothold at the door of this network from where they got elevated permissions. Once inside the network, the attacker then used the administrative permissions acquired through on-premise compromise to access the global administrator account and the SAML token sign certificate. By using the signing certificate, the attackers forged SAML tokens. Then, the attackers impersonated privileged users to access the resources, either on the cloud or on-premises.
So, what is SAML, and how does one manage it securely?
SAML, or Security Assertion Markup Language, is a process for telling external services and applications the user is the same person who has logged in. The SAML process makes the single sign-on (SSO) technology. It authenticates a user and then uses that authentication for multiple applications. The current version in use is the SAML 2.0, and it has been in use since 2005. It has combined several earlier versions of SAML and is now the modern standard.
The SAML authentication is considered an identification card. It is a fast way to identify who that person is. It is like confirming the identity of someone by just looking at the ID card instead of conducting a series of DNA tests.
With multiple vendors and manufacturers for different types of devices and networking systems that come together for diverse purposes, aligning them becomes a crucial challenge. The advantage of SAML is its interoperability standards which allow it to be widely accepted on different specifications, especially cloud service providers, to communicate the identity of the users.
What is single sign-on (SSO) and its uses?
Single sign-on (SSO) is a reliable way for a user to get authenticated for multiple services and applications at once. This facility allows users to sign in to a single login screen and then use any different services or apps without identifying themselves each time. It can happen when the SSO system confirms that the user signed in to each external app or service. At this point, the SAML comes into action.
An SSO authentication process has three stakeholders.
- Principal - They are human users on maximum occasions barring the bots who try to access the cloud-hosted applications.
- Identity provider – the identity provider is a cloud-based software service that stores the identity of the users and confirms them during the login process. Essentially it says that they know the user and can-do specific tasks. An SSO is perhaps separate from an identity provider, but they act as their representative, so in many ways, it is the same in a SAML process.
- Service provider –The cloud-based applications and services that users usually access are Microsoft 365 and Gmail, the cloud storage service Google Drive, AWS S3, and apps used for communication such as Skype and Slack. In ordinary circumstances, a user would log in to the above services directly, but when the SSO system is in place, the user logs in to the SSO first. The SAML gives access instead of allowing the user to log indirectly.
A typical workflow will be like
- The Principal or the user requests the Service provider.
- The service provider requests authentication from the identity provider
- The identity provider sends SAML confirmation to the service provider.
- The service provider then sends a response to the Principal
- if the Principal is not logged in, the identity provider prompts them to log in before sending the SAML assertion.
The SAML assertion is critical as it tells the service provider that the user is signed in and the user identity is confirmed. The source of assertion, the time given, and the conditions applied make the SAML assertion valid.
For example, the SAML assertion is like the reference feedback provided for a candidate applying for a job. The person who gives reference will confirm the job role of the candidate, duration, performance, and overall opinion. The company hires or rejects a candidate based on the feedback of the reference. Similarly, a cloud service or SaaS application can deny or allow a user based on SAML assertion.
SAML authentication vs. user authorization
There is a common misconception that authentication and authorization are the same when it comes to user identity. In SAML, the technology used is for user authentication and not for authorization. The key difference here is that user authorization is a separate function under the purview of identity access management.
Authentication: This refers to the identity of the user, who they are, and if the login process confirms their identity.
Authorization: It refers to the permissions and privileges allowed to any user. This is in the context of actions permitted to employees regarding their job roles by the organization's IT systems.
For example, in common parlance, let us understand the difference between authentication and authorization. A person attends an event and shows their ticket and any form ofidentity card at the entrance to prove that they are the right person. Once it is accepted,they are allowed to enter inside. It is authentication.
Inside the event, the person has certain restrictions. It means they cannot go anywhere, sit anywhere or go to the stage and perform as they are not authorized to do so. The authorization is only for watching the event. For additional authorization, they need to gain additional passes backstage. It would be equivalent to higher authorization in IT terms.
Third-party service providers use technologies to provide identity and access management (IAM) to look over the process of user authorization. Access Management solutions use different standards for authorization. They allow organizations to manage user access to data and internal resources by easily integrating SSO to offer authentication and authorization.