SAML 2.0 for the Quasi-Technical

I’ve recently begun the process of transitioning over to a role as a Technical Account Manager at Trello. What this means is—as with all “you’re the first person to do it” roles at startups—a little bit TBD, but for right now it involves being the point person for Single Sign On (SSO) implementation for our Enterprise customers. SSO allows our customers to set up their own login portal for all of the services that their employees use. That portal handles credentials, meaning that end users only have to remember one username and password combo (as well as providing an easier way to disable access to those services if someone leaves the company). It’s the business equivalent of using the “log in with Facebook/Google” option you’ll see on many websites.

SSO can be implemented with a few different protocols, because the internet is full of slightly-different wheels. I’m learning about Security Assertion Markup Language (SAML), which has two versions: 1.1 and 2.0. The SAML protocol provides a standard for how to format XML passed between an Identity Provider (whatever a company is using to keep track of its users and their information) and the Service Provider (Trello, in this case). Trello’s SSO implementation is (currently) Identity Provider (IdP)-initiated SAML 2.0. This stands in contrast to Service Provider (SP)-initiated SAML, and the non-SAML alternatives.

As part of moving in to the new role, I wanted to read up on SAML and get a general sense of how the protocol actually works. This was to help reduce the number of times I needed to go to engineers for communication reasons—because I didn’t know what the user was talking about when they mentioned federation and they didn’t know which cert I meant when I asked for an SSO cert.

(For the record, the cert I needed in that particular instance was a Base64-encoded X.509 cert. Hat tip to Amanda Allison for teaching me to recognize base64-encoded strings by sight/the basics of “certs, what do” and to Barry Clark for telling me the “X.509” bit.)

Unfortunately, trying to educate myself about SSO—and SAML in particular—proved very difficult. The resources that exist are mostly targeted to two audiences: end users at large corporations who need to know a bit about how their particular SSO product works (too low-level and IdP-specific for me) and developers with an interest in cryptography who are actually building SAML integrations (impenetrably dense, and way higher-level than I needed).

However, with diligent googling and bugging of coworkers (second hat tip to Barry, in particular, as well as much of the rest of Trello’s server team) I was able to scrounge up some resources. I’m including them here for anyone else who may find themselves in the same boat in the future. These resources have been helpful to me as someone with no formal CS background but 3 1/2 years of hands-on technical troubleshooting experience for SAAS companies, some of it technical in nature. I also have some basic knowledge of encoding which people may not have coming to the table. In that case, reading more about encoding may be useful.

A SAML Whitepaper: How to Study and Learn SAML – Clear writing and concise recommendations for more technical places to read more. If I had to recommend one piece of information for someone in my situation, it would be this article.

The SAML 2.0 Wikipedia page – Most of this was actually far too high-level for me. But the top section of the article gives useful context on SAML 2.0 vs. SAML 1.1 as well as a little bit of historical context for how/why SAML 2.0 came to be. As I progressed further in other articles, the example protocols in the article proved to be helpful to actually see what the other articles were discussing.

SAML 2.0 Technical Overview – Despite being a technical overview, the writing in this document is fairly clear and easy to follow, and each section is very short and targeted. If you’re thrown a term you don’t know, this document is a good starting point for figuring out what it might mean without having to wade through something hideously technical or possibly unrelated to what you’re curious about.

Identity Management (The Open Group) – This YouTube series is a little bit silly, but does use an easy-to understand narrative format to discuss the basics of identity management across platforms. It’s not specific to SAML but gives a good general overview of how SSO works in non-technical language, and is a good starting point if you haven’t previously had to use corporate SSO yourself.

The first answer on this StackOverflow post – I lucked out and the first few users I asked sent me their X.509 certs as plain-text files. Subsequent users sent over actual cert files (which my computer tried to open its keychain—TextWrangler solved the issue). The first answer in this SO post provides a good overview for why I received actual cert files, what’s in them, and why the file formats are so variable.

Hands On Training: Enable SSO With SAML and Salesforce Identity – This video is nearly three hours long and I have not watched all of it. But, the bits I have watched have been a useful walk through of configuring something similar to what I’m setting up.

If anyone else has recommendations for articles, videos, or books on the topic that are a fit for a similar audience, or if you’re in a similar situation in your role at work, I’d love to hear from you.

(Thanks to Ryan Sorensen for proof-reading this post. Errors mine, clever editorial suggestions his.)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s