Authentication mechanisms used in web applications - SAML(SSO) and LDAP authentication techniques

           

Why do we need authentication in any web application? This is the most frequent question that arrives in the minds of a web developer after completing web development. An unauthorized web application is always prone to one or more cyber attacks. The cyber attacks can create viruses in the users' computer systems while using such unauthorized websites, eventually causing his machine to either go through a repair or to get it permanently damaged.

To prevent such cyber attacks and maintain security from unauthorized users, we make use of authentication techniques. In this blogpost, we are introducing you to 2 major authentication techniques widely used in software and IT industries for software protection.

SAML : 

SAML is an acronym for Security Assertion Markup Language. SAML authentication enables user to access multiple applications by using only one set of login credentials. Technically,  in SAML, the authentication and authorization data of a user is exchanged between an Identity Provider (IdP) and a Service Provider (SP).  This authentication is XML based.  

SAML is used widely in enterprise applications due to various reasons. Some of them are-

• Provides increased security to application.
• User doesn't have to remember the credentials.
• The IdP's provide several identity security features such as Multi Factor Authentication (MFA) and Single Sign On (SSO) to protect against cyber attacks.

Working:

                                                                          Source

1. The user logs in to the web application using his login credentials through the intranet or similar and the application starts to load.
2. The application identifies the user's origin through his application subdomain and his IP address or similar and directs the origin data to Identity Provider (IdP) requesting for his authentication.
3. The Identity Provider (IdP) checks the user information stored as browser session information which is active and existing for the user.
4. The IdP then binds authentication response consisting of the user's credentials (either username or email id) in an XML document. This response is signed using X.509 certificate and then sent to Service Provider (SP).
5. The SP knows the IdP information, has the certificate fingerprint and retrieves the authentication response and validates it using the certificate fingerprint.
6. The user's identity is obtained and he is redirected to the web application.

LDAP  :

LDAP is an acronym for Lightweight Directory Access Protocol. This protocol is developed to provide authentication to directory services of an organization with user network. LDAP is used for cloud based directories, often termed as Directory-as-a-Service  This primarily stores information such as user credentials and the group membership privileges. 

LDAP has the following features-

1. Open source protocol with flexible architecture.
2. Operates over TCP/IP and SSL directly.
3. Provides extensive support across industries.

Working:

                                                                         Source

1. The client/user requests information stored within the LDAP database with user credentials to an LDAP server.
2. LDAP server authenticates the credentials submitted by the user with the core identity, which is stored in the LDAP database.
3. If the credentials submitted by the user matches with the core user identity credentials then, the user is granted access and he can get the requested information. Otherwise, the user is denied access to LDAP database.  

Conclusion

Both LDAP and SAMl can be useful for different authorization and authentication purposes in an organization. Each of these can be chosen based on the infrastructural needs of an organization. 

Please feel free to provide any information, suggestions and clarifications in the comment box below.

Stay tuned for more updates on other authentication mechanisms used in IT industries.