SAML, Security, TeamFlow, and You

Security for a company can be daunting. Especially today, where most transactions are online or through services rather than products. With this consistent uptrend in digital markets, it’s often assumed that your sign-in and transactions are secure. But, security isn’t as simple as waving a magic wand. It takes some “know-how” and some skill to make sure your company is on the right security track. To help with some of this we’re going to take a look at some core concepts of security. Such as SAML security, and how to visualize the security itself within TeamFlow to better understand it.

Let’s start off by asking “What is SAML?” SAML stands for “Security Assertion Markup Language”. SAML is written in XML format for transferring data.

Note: XML or “Extensible Markup Language” is a standardized format of data reaching back to 1996. XML is how SAML is formatted and written. Before XML each protocol had its own way to transfer data. But it became a bit of a headache. Using XML as the standard works fine because XML is lightweight, easy to read, and is predictable. XML also formats its data into stanzas. Sort of like a poem so it’s simple for us to interpret info coming to us and being sent out.

When SAML sends its data between two systems, what it’s looking to do is provide a base of an Identity Provider or (IdP) and a Service Provider (SP). When these two shake hands, they’ll let you into an application. Or they will sign up on a website using your emails. So let’s take a look at how this process happens and how it looks when visualized in a process flow.

Note: There is one more party when it comes to SAML. And that’s what is referred to as the “principle.” This is almost always you – the human subject – but for simplicity stick to the (IdP) and the (SP).

With SAML, you’ll be able to access many sign-ins with a single credential because of how the SAML is authorized. For now let’s take a look at how SAML works in a real setting. Let’s make up a situation in which SAML is used. Let’s talk about the user “Gandalf.”

Gandalf wakes up in the morning and the first thing he does is sign into his MiddleEarthMail.com. This is a good thing because MiddleEarthMail.com is an SSO or (Single Sign-On). This means that once Gandalf puts his login credentials into his email the system will verify he’s already signed in. So even if he exits out of the email tab in his browser, he can open it back up again and he’s still connected.

Gandalf is also planning a little adventure. So he wants to sign up for Trello to plan his “workcation.” Instead of making a new username and password, Gandalf can use SAML to sign in using his MiddleEarthMail account. No new passwords needed and no new confirmation emails. He simply logs in because Trello was able to send a request to Gandalf’s Identity Provider.

MiddleEarthMail receives the request based on user tags. Then it sends authentication and authorization messages back to the Service Provider, Trello. All this happens in the matter of milliseconds, with no fuss or worry.

Gandalf is able to login to Trello and start forming his team by sending eight emails out to join the new Trello board.

SAML is a great way to streamline your logins. It provides less friction for new users, while providing security to your site and your users. Security is one of those fields that the more you get into it the more complex it can be. TeamFlow helps with that by giving you visualizations to understand complexity. As we’ve seen, we are able to import/export, create, edit, and share all kinds of security information. Such as Standard Operating Procedures (SOPs) and process models of our security workflows related to user logins.

(Click to drag the diagram to view all of the steps in the plan.)

Each graph is going to be unique to what you need. But with these blog posts we can help give you an idea of how other people make their workflows and pipelines. With a few simple clicks, TeamFlow was able to produce a detailed onboarding process flow. This also becomes our source-of-truth, so we can add more as our needs change and update our docs in real-time.

If you have any suggestions or feedback on this article, please drop us a line. As always, thank you for reading and we hope you check back soon for more helpful guides on compliance and other industry topics. To get notifications on when we post our next article, please follow us on Twitter and LinkedIn.