An Introduction to SAML (Security Assertion Markup Language)

SAML SP Initiated SSO Flow
Back to Blog
February 08, 2017
Christine Mikolajczak

SAML is a standard that facilitates the exchange of security information. Developed by OASIS (Organization for the Advancement of Structured Information Standards), SAML is an XML-based framework. SAML enables different organizations (with different security domains) to securely exchange authentication and authorization information.  

Due to the growing number of SaaS applications delivered to employees and consumers, a necessity grew for standards in underlying Single Sign On (SSO) and identity federation, such as SAML and OpenID.   SAML caught on quickly with cloud-based providers, such as Google, Salesforce.com and WebEx. Using SAML, an organization can deliver information about user identities and access privileges to a service provider in a safe, secure and standardized way. This can include Business to Business (B2B) applications and Business to Consumer (B2C) Applications. 

There three main roles in this communication:

  • End User
  • Identity Provider (IdP)
  • Service Provider (SP)

Identity Providers (IdP) provide online resources to give authentication to end users over the network.  Sometimes these are also called an identity Service Provider or an Identity Assertion provider.  Service Providers (SP) provide resources to an end user for Single Sign On (SSO). 

Here are some examples of SSO flows:

SAML Service Provider Initiated SSO Flow

In this flow, the end-user initiates the login process at the SP. The SP will redirect the user to the IdP with a SAML Request (AuthnRequest). The SAML Request will contain the necessary information for the IdP to authenticate the end-user and reply to the SP with the correct SAML Assertion (SAMLResponse).

SAML SP Initiated SSO Flow

SAML Identity Provider Initiated SSO Flow

In this flow, the end-user initiates the login process at the IdP. The IdP needs to be configured with the SP’s SAML metadata information, such as Assertion Consumer URL, Issuer, and Audiences. The IdP will send a SAML Assertion (SAMLResponse) to the SP which the SP will validate based on the configured requirements.

SAML IdP Initiated SSO Flow

SAML’s standards provide a request/response for exchanging XML messages between these roles.  The standard specifies four main components: profiles, assertions, protocol, and binding.

SAML's 4 main Components

  • SAML Profile describes in detail how SAML assertions, protocols, and bindings combine to support a defined use case.
  • SAML Binding is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols.
  • SAML protocols describe how the SAML elements are packaged. 
  • SAML assertions contain a packet of security information or decision information.

The bottom line is that to utilize SAML – in any form – your organization needs to become an IdP (Identity Provider). Just as individuals should never share sensitive personal information like their banking PIN, enterprises too should be wary of sharing critical data that could put them at risk if it fell into the wrong hands. Trusting user identities to third parties means that you will always have to keep your fingers crossed that those outside of your organization are following best practices and not degrading your organization’s security.

Granted, becoming an IdP sounds like a serious burden, especially for organization with limited IT resources.  The quickest way to become your own IdP is to implement SecureAuth. With SecureAuth your organization evolves from simply “holding” identities (AD, LDAP, SQL) to becoming a full, secure, guidance-compliant, highly available identity provider. With SecureAuth, you will be able to serve up secure identities to on- and off-premise applications in a standardized, automated and auditable fashion.

Read more about SecureAuth and Single Sign-On

Calculate your productivity savings with our SSO Calculator

Contact us to explore SecureAuth!

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities

CIAM

Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy

B2E

Workforce Identities

Govern and control access rights for employees, partners, and contractors

Moving Beyond Passwords

Learn how passwords alone no longer provide the appropriate level of protection, nor confidence, required to secure valuable resources

Initiatives

Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution

Industries

Healthcare

Financial Services

Retail

Energy and Utilities

Public Sector

Resources

White Papers

eBooks

Recorded Webinars

Analyst Reports

Innovation Labs

Documentation

Support Portal

Events & Webinars

Events

Webinars

Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth

Leadership

Newsroom

Careers

Contact