SAML (Security Assertion Markup Language) is a markup language that lets users log into applications based on the users’ sessions in another context. Organizations are aware of the identity of the user. When users are already logged in to the Active Directory of their organization, organizations can leverage that information to log their users in to other applications. It is always simpler and more secure to manage one login per user than it is to manage multiple logins per user.
By using SAML specifications, clients can achieve Single Sign-On (SSO) for their users. Single Sign-On indicates that users can login once, and the same credentials will be reused to log into other service providers.
How does Single Sign-On work?
To understand how Single Sign-On works, read through the following hypothetical example:
Consider that you work for a shoe company (for example, SoleShoe) and your shoe company sells shoes to a big retailer chain (AwesomeMart). As an employee of SoleShoe, you would need to access an application provided by AwesomeMart. The application would help you to manage sales and monitor various bottlenecks involved with the supply chain. In such a case, AwesomeMart must control the user authentication for their application access.
A simple solution requires that AwesomeMart provide separate login credentials to all the appropriate users at SoleShoe. However, AwesomeMart has other suppliers as well; maintaining that information for multiple users across many organizations is complex.
An effective solution would require that all the suppliers federate their user credentials with AwesomeMart. Thus, Single Sign-On provides a secure way for AwesomeMart (the Service Provider) to externalize authentication by integrating with the existing identity infrastructure of SoleShoe (the Identity Provider). Business use cases like this contributed to the development of federated protocols, such as SAML.
Single Sign-On in Upwork with SAML 2.0
With Single Sign-On in Upwork, your employees can access the Upwork platform by using your company’s credentials. This way, employees do not need to register and set up their own separate employee profile in Upwork.
In this case, Upwork is the Service Provider (or SP) who allows users from different enterprises to access the platform. Once Upwork receives a SAML response from the Identity Provider (IdP) of your company, it validates if the user exists. If the user account exists, Upwork lets the user access the platform. However, if the user account does not exist, Upwork creates an account automatically for that user.
These are common SAML terms that may assist in your set-up.
|Service Provider (SP)||The entity that provides the service. Upwork is a service provider that lets users from different enterprises access the Upwork platform without requiring them to log into Upwork separately. SPs never directly interact with the IdP, and a browser acts as the agent to carry out all the redirections.|
|Identity Provider (IdP)||The entity that provides the identities to the service provider. The IdP contains the user profile, such as first name, last name, job code, phone number, etc. Note that different SPs might require different profile information.|
|SAML Request||The authentication request that is generated by the SP.|
|SAML Response||The authentication response sent by the IdP. Such a response contains information about the user, such as user profile information and group/role information.|
|SP-Initiated login||The SAML login flow that is initiated by the service provider. This flow is triggered whenever users try to access secure information in the service provider’s application.|
|IdP-Initiated login||The SAML login flow that is initiated by the identity provider. This flow is triggered when an IdP initiates a SAML response that is redirected to the SP to assert the user's identity|