SAML is a popular online security protocol that verifies a user’s identity and privileges. It enables single sign-on (SSO), allowing users to access multiple web-based resources across multiple domains using only one set of login credentials.
SAML stands for Security Assertion Markup Language. SAML is an open standard used for authentication. It provides single sign-on across multiple domains, allowing users to authenticate only once. Users gain access to multiple resources on different systems by supplying proof that the authenticating system successfully authenticated them.
SAML is the most widely adopted federated identity standard for authentication. It works by passing a SAML token (called an assertion) containing identifying user information between the authenticating system and a system on a different domain that offers a resource. Typically, the resource is a web- or cloud-based application. Resources can be internal to an organization, externally hosted, or delivered as a service.
What is SAML Authentication?
SAML authentication is the process of verifying the user’s identity and security credentials. A user’s credentials specify who the user is. At a minimum, a user’s credentials must include a username and password. Depending on the level of protection desired, organizations may require additional security strategies, such as:
- Two-factor authentication (2FA) or multifactor authentication (MFA)
- An identifying image chosen by the user
- A challenge test, such as CAPTCHA, which can distinguish between a human response and machine input
- Biometrics, such as a fingerprint or retinal scan
SAML also supports authorization, which defines a user’s privileges. The set of privileges assigned to an individual user typically depend on the user’s role or job responsibilities. SAML authorization tells the authenticating system what type of access each user is allowed to have. SAML simplifies this process by designating an identity provider (IdP) as a single point of authentication and authorization. The identity provider has authority to grant or deny access to each user, depending on the user’s identifying credentials.
Although SAML covers federation, identity management, and single sign-on (SSO), its most common use in modern practice is SSO. By allowing users to access multiple applications using only one set of login credentials, SAML SSO eliminates the need to keep track of a jumbled assortment of username and password combinations. Requiring users to remember only one username and password provides a simpler, more streamlined user experience. It also makes it less likely that users will forget their passwords, use the same password for multiple applications, or choose passwords that are weak and easy to guess.
SAML SSO improves security by centralizing authentication and authorization, making it unnecessary to store a separate set of user credentials for each individual application. It shifts the responsibility of storing sensitive information to the system that is best equipped to manage many layers of security—a smart strategy that reduces risk. In addition, this approach lowers support costs by reducing the number of Help Desk calls needed to assist users who have lost or forgotten their passwords.
It’s important to note that SAML is not the same as SSO. SAML is an XML-based computer language that facilitates single sign-on. SSO is an umbrella term for any of several methods, including SAML, OpenID Connect, and OAuth, that lets you use one set of login credentials, such as a username and password, to log into multiple applications.
SAML facilitates the exchange of user identity data between two types of SAML providers:
- Identity provider (IdP)—A SAML authority that centralizes user identity data and provides a single point of secure authentication. The IdP can be an in-house identity and access management (IAM) system or a hosted authentication SAML service provider, such as Google Apps.
- Service provider (SP)—A SAML consumer that offers a resource to users. Typically, that resource is a web-based application or a paid subscription service, such as a customer relationship management (CRM) platform.
A SAML assertion is a packet of information (also known as an XML document) that contains all the information necessary to confirm a user’s identity, including the source of the assertion, a timestamp indicating when the assertion was issued, and the conditions that make the assertion valid. SAML defines three different types of assertion statements:
- Authentication— An authentication assertion affirms that a specific identity provider authenticated a specific user at a specific time.
- Attribute—An attribute is an identifying detail associated with a specific user. Examples of attributes include data such as the user’s first name, last name, email address, phone number, X.509 public certificate file, and so on.
- Authorization decision—The authorization decision informs whether a specific user has been allowed or denied access to the requested resource. Typically, a SAML Policy Decision Point (PDP) issues this type of assertion when a user requests access to a resource.
A typical SAML assertion comprises a single authentication statement and an optional single attribute statement; however, in certain cases, a SAML response can contain multiple assertions.
SAML 2.0 is an XML-based authentication protocol for identity federation that provides seamless single sign-on access to Business-to-Business (B2B) and Business-to-Employee (B2E) applications. SAML 2.0 facilitates the exchange of user identity data across multiple security domains. These domains may be separate organizations or divisions within an enterprise.
Widely adopted since its introduction in 2005, SAML 2.0 is a mature standard used primarily for enterprise and government applications.