SAML authentication

Single sign-on based on Security Assertion Markup Language

SAML authentication

SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties, in particular between an identity provider (IdP) and a service provider (SP). It enables single sign-on (SSO), allowing users to authenticate once with the IdP and then access multiple services without needing to log in again.

How SAML authentication works

The SAML authentication flow involves the following steps:

  1. A user attempts to access a protected resource on the service provider.
  2. The service provider redirects the user to the identity provider for authentication.
  3. The identity provider authenticates the user using its internal mechanisms (e.g., username and password, MFA).
  4. Upon successful authentication, the identity provider generates a SAML assertion, which includes the user's identity and any additional attributes.
  5. The SAML assertion is signed and sent back to the service provider via the user's browser.
  6. The service provider validates the SAML assertion and grants the user access to the requested resource.

SAML flow diagram

sequenceDiagram
    participant User
    participant SP as Service Provider
    participant IdP as Identity Provider

    User->>SP: Request access to protected resource
    SP-->>User: Redirect to IdP with authentication request
    User->>IdP: Send authentication request
    IdP->>IdP: Authenticate user (e.g., password, MFA)
    IdP-->>User: Return SAML assertion
    User->>SP: Send SAML assertion
    SP->>SP: Validate assertion and extract user identity
    SP-->>User: Grant access to resource

Key components

  • Identity provider (IdP): The system that authenticates the user and issues SAML assertions.
  • Service provider (SP): The system that relies on the IdP to authenticate users and grants access based on received assertions.
  • SAML assertion: A secure, XML-formatted document that contains authentication statements and user attributes.
  • Metadata: Configuration information shared between the IdP and SP to establish trust, including endpoints, entity IDs, and public keys for signing.

Benefits of SAML

  • Supports single sign-on (SSO) across multiple applications
  • Reduces the need to store and manage passwords on each service provider
  • Enhances security through assertion signing and encryption
  • Centralizes user authentication and policy management

Considerations

  • SAML is best suited for enterprise environments where centralized identity management is required.
  • SAML relies on browser redirects, making it more applicable to web-based applications rather than mobile or desktop apps.
  • Proper configuration of metadata, certificates, and trust relationships is critical for secure and reliable SAML authentication.

Related standards

  • OAuth 2.0: An authorization framework often used for APIs and mobile apps.
  • OpenID Connect: An authentication layer built on top of OAuth 2.0, better suited for modern applications and mobile use cases.