What is SAML?
SAML stands for Security Assertion Mark-up Language and is an open standard for managing the separation between the authentication of a user by a service provider and the identity provider that grants the assertion providing access right to the service.
While alternatives for Single Sign On (SSO) exist within an organisational domain (such as Microsoft Active Directory) and for consumer access (such as OAuth used by personal web applications), SAML is the preferred standard for creating a federated security access model for cloud (internet) business applications such as Service Desk, CRM and of course PSA.
How does SAML work?
SAML creates a separation between the service provider, SP (a business application) and the Identity Provider, IdP. This permits a many to many model whereby one IdP can service many SPs and also one SP could be tied to many IdPs.
In effect, the user is routed to the IdP when trying to access any SP and has to identify themselves there. Once identified, the IdP can send an assertion to every SP in the SAML estate allowing the user to access all services without providing any further credentials. In its richest form, the assertion message (a special XML format) can even contain application-level access rights so that the application does not need to maintain its own security tables covering which areas of the application the user is permissioned to.
Once an application has entered the SAML estate, direct user access is disabled and the user is routed to the IdP first. Obviously, removing the user’s rights in the IdP therefore kills all access rights across the estate - great for leaver security.
What are the benefits of adopting SAML?
Externalising and centralising user access authorisation has many benefits, for both the organisation and also for users.
- It provides a sound basis for deploying internet based SSO;
- It improves security by raising the security access controls to the highest level. So, an Identity Provider can be used to enforce 2FA (two-Factor Authentication) across the SAML enabled estate even where some individual applications do not support such a standard;
- It eases access for users who only have a single user name and password to remember, even if they need to access multiple applications; and
- It improves user administration by providing a single point of disconnection, by centralising access rights and by having a single place to reset passwords. The identity provider also provides total auditability across the estate of SAML-enabled applications, improving visibility and control.
We are pleased to announce that Harmony is now SAML enabled and so can be connected to the identity provider of your choice. If you are looking for a SAML enabled Service Desk, contact us for a demo.
About the Author: Harmony Business Systems Ltd (HBS) is the company behind HarmonyPSA, the most complete cloud PSA software on the market. Developed with functionality to cater for even the most complex needs of MSPs, VARs, ISVs and Professional Services organisations, HarmonyPSA truly is the next generation of PSA systems. Follow HarmonyPSA on Twitter, LinkedIn or Website