Last tested: Jun 21, 2019
What is SAML?
SAML, short for Security Assertion Markup Language, is one of several standards for authentication. It is a Single Sign On (SSO) method - which means you can use it to authenticate to several different web services.
Several different companies sell SAML as a way to make authentication easier and standardized across a company. Some examples are Okta and OneLogin.
HOW DOES SAML WORK?
SAML SSO works by transferring the user’s identity from one place (the identity provider) to another (the service provider). This is done through an exchange of digitally signed XML documents over HTTP and SOAP.
A generic interactions among various roles involved in SAML standard can be summarised as follows:
- Generally user profiles and user credentials are stored centrally within a one system, this can be a home grown system or can be IAM solution.
- When a user try to access a secured page/resource on an application it directs users to the central identity service via the user’s agent.
- The central identity service try to authenticate the user and if it is successful create a session for the authenticated user, then it create a SAML token (XML message) and send it back to the original application directly or indirectly (usually via user agent).
- This SAML token contains all the required identity data such as authentication method, authorisation decisions, user attributes etc. The application use this SAML token to create local HTTP session and treat the user as logged-in.
- If the same user try to access another application of the same organisation, like in step-2 that application also redirect the user to central identity service.
- At the central identity service, it recognise this user is already logged-in and skip the authentication steps. The central identity service generate a SAML token and share with this 2nd application . Generally these 5th and 6th steps are transparent to end users.
(source for this list)
What does this have to do with Looker?
Looker supports logging in with a SAML provider. Often, users and prospects will already have a SAML provider that they want to use with Looker to avoid having to set up credentials specifically for Looker. When a Looker instance has SAML activated, then users who come to the instance are sent to the SAML provider to authenticate and from there are granted access into Looker.
Sources / Additional Reading: