By David Collins
Identity management is a cornerstone of zero trust (ZT) architecture, where it plays a crucial role in enhancing security by demanding authentication and authorisation before granting access to resources. A ZT approach reduces the success rate of cyber-attacks and data breaches through risk-based access requirements, shifting away from a single access control method to a more risk-based decision about access.
The Security Assertion Markup Language (SAML), which has been around since 2002 when OASIS announced SAML 1.0, was created to exchange authentication and authorisation information. SAML 2.0, released in 2005, is the version that saw widespread deployment and remains in use today, particularly within enterprise organisations.
SAML was pivotal as the number of web applications grew, addressing the need for constant logins and offering single sign-on (SSO) capabilities as a solution, a feature now essential for both individual users and enterprise organisations. It is also commonly used for federation networks between infrastructures that are not necessarily linked to web services.
The protocol simplifies communication between identity providers and service providers, effectively splitting the roles of web service providers and identity managers, thus offering users convenient access to store credentials and access various accounts.
However, while SAML remains a trusted and mature protocol, it has been somewhat overshadowed by newer protocols like OAuth 2.0 and OpenID Connect (OIDC), which cater more efficiently to modern mobile and web applications. OAuth, for instance, uses JSON Web Tokens (JWTs), which are more lightweight and self-contained compared to SAML’s XML-based tokens. Despite the rise of OAuth and OIDC, SAML 2.0 continues to be a widely used protocol, especially within enterprise organisations, which may be due to its maturity and reliability for large-scale deployments.
The adoption of SAML by newer SaaS providers as a standard practice could be seen as a testament to its proven security and reliability in managing identities across various services. It raises an important question. “Why do older vendors often reserve SAML support for enterprise licenses”? This strategy might be informed by their business models, which focus on monetising advanced features for larger clients with more complex needs. Such comprehensive security and identity management, and potentially, the commercial strategies of service providers who may reserve advanced features like SAML integration for higher-tier, paid offerings.
However, this approach could potentially hinder the adoption of zero-trust architecture among small and medium-sized enterprises (SMEs). SMEs may find the cost of enterprise solutions prohibitive, which could slow their transition to more secure, identity-centric frameworks that are essential in today’s cybersecurity landscape. The challenge lies in balancing commercial interests with the broader need for accessible and robust security solutions that enable organisations of all sizes to implement zero-trust principles.
Review