What Is SAML and How Does It Work?

SAML is an open standard authentication protocol designed to simplify the authentication process by serving as a middleman between service providers and identity providers.

SAML

SAML (Security Assertion Markup Language)

Back in 2001, the tech sector was looking to establish an XML (Extensible Markup Language) framework that could be used to transfer authentication and authorisation information. The result of their efforts was the Security Assertion Markup Language (SAML), an open standard authentication protocol that simplifies the transfer of authentication data between identity providers (IdP) and service providers (SP).

SAML has defined a standard that makes it possible for external applications and services to confirm that users are who they claim to be. As such, users can access multiple web applications with just one login credential or rather through Single Sign-On (SSO) technology. SAML facilitates this login approach by providing a means to authenticate a user once and then share that authentication with multiple applications.

Before SAML, SSO was only possible with cookies in the same domain. SAML was able to remove the cookie middleman by centralising user authentication data with an identity provider. If an application has an enabled SAML, a line of communication can be opened between the SP and IdP when a user tries to login, thereby providing for a seamless authentication and authorisation process. One which does not require users to remember multiple usernames and passwords.

The most current version of SAML is SAML 2.0 (since 2005), which merges several previous  versions of SAML. Although many systems support earlier versions, SAML 2.0 remains the modern standard.

Benefits of SAML

SAML has been widely embraced as an enterprise solution. This is primarily due to its multiple benefits. Namely:

  • An improved user experience: As mentioned, SAML facilitates SSO, which means users only need login once to gain access to multiple web applications. That means only one set of login credentials to remember and a streamlined authorisation process.
  • A more secure platform experience: Since service providers no longer have to store passwords, they are less susceptible to the many risks associated with data breaches. Likewise, user credentials are also more secure since they never leave the IdP and the safety of protective firewalls. In addition, since IdPs are specialised in creating a wholly secure SAML authentication, they invest ample time and resources into multiple security layers like multi-factor authentication (MFA), et al. Furthermore, SAML relies on public key infrastructure (PKI), which offers added protection against potential attacks.
  • Less customer service strain: Without passwords, customer service can spend less time on password-related reset issues and more time on catering to customer satisfaction.
  • More customised user experience: With SAML, Identity federation - the linking of multiple identities - allows for an optimised user experience while also promoting privacy.
  • More standardised approach: SAML is able to interoperate with any system. That translates to fewer interoperability issues associated with vendor-specific solutions, regardless of system architecture.

How Does SAML Work?

SAML acts as a middleman between an identity provider (IdP) and a service provider or web application. It accomplishes this using defined federated authentication process flows to transfer user information, including identifiers or other attributes. This process is triggered by a user attempting to access a web application or service. For example:

  • User request: the user requests access to a web application or service.
  • Service provider request: the service provider, in this case whatever service or application the user is attempting to use (e.g. Google, Slack, etc.), asks the IdP to authenticate the user.
  • IdP response: the IdP, a system entity that stores and authenticates a user’s identity, provides the service provider with the SAML authentication.
  • Access granted: the service provider grants access to the user if the SAML authentication is successful

FAQ about SAML

How Is SAML Different From Other Authentication Protocols?

orange-plus orange-minus

Unlike other authentication protocols such as OAuth and OpenID Connect, which are mainly used for authorising APIs and web applications, SAML is specifically designed for authenticating users in enterprise and organisational scenarios.

What Are the Main Components of SAML?

orange-plus orange-minus

Identity Provider (IdP): A web application or system that is responsible for authenticating users and creating SAML assertions.

Service Provider (SP): A web application or system that users access, receive, and verify SAML assertions.

SAML assertion: A digital signature containing identity and attribute information about the user that is exchanged between the IdP and the SP.

What Is the Role of IdP and SP in SAML?

orange-plus orange-minus

SAML works by exchanging digitally signed SAML assertions between an identity provider (IdP) and a service provider (SP). The IdP authenticates the user and creates a SAML assertion containing the user's identity and attributes. The SP receives this SAML assertion, checks its validity and authorises the user accordingly.

What Are the Arguments in Favour of SAML?

orange-plus orange-minus

Single sign-on (SSO): Users can log in to one application and then seamlessly access other applications without having to log in again.

Security: SAML uses encryption and digital signatures to ensure the security of authentication and authorisation data.

Interoperability: SAML is a standard protocol supported by a wide range of vendors, which facilitates interoperability between different applications and systems.