Skip to main content

SAML authentication

SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties, in particular between an identity provider (IdP) and a service provider (SP). It enables single sign-on (SSO), allowing users to authenticate once with the IdP and then access multiple services without needing to log in again.

How SAML authentication works

The SAML authentication flow involves the following steps:
  1. A user attempts to access a protected resource on the service provider.
  2. The service provider redirects the user to the identity provider for authentication.
  3. The identity provider authenticates the user using its internal mechanisms (e.g., username and password, MFA).
  4. Upon successful authentication, the identity provider generates a SAML assertion, which includes the user’s identity and any additional attributes.
  5. The SAML assertion is signed and sent back to the service provider via the user’s browser.
  6. The service provider validates the SAML assertion and grants the user access to the requested resource.

SAML flow diagram


Key components

  • Identity provider (IdP): The system that authenticates the user and issues SAML assertions.
  • Service provider (SP): The system that relies on the IdP to authenticate users and grants access based on received assertions.
  • SAML assertion: A secure, XML-formatted document that contains authentication statements and user attributes.
  • Metadata: Configuration information shared between the IdP and SP to establish trust, including endpoints, entity IDs, and public keys for signing.

Benefits of SAML

  • Supports single sign-on (SSO) across multiple applications
  • Reduces the need to store and manage passwords on each service provider
  • Enhances security through assertion signing and encryption
  • Centralizes user authentication and policy management

Considerations

  • SAML is best suited for enterprise environments where centralized identity management is required.
  • SAML relies on browser redirects, making it more applicable to web-based applications rather than mobile or desktop apps.
  • Proper configuration of metadata, certificates, and trust relationships is critical for secure and reliable SAML authentication.
  • OAuth 2.0: An authorization framework often used for APIs and mobile apps.
  • OpenID Connect: An authentication layer built on top of OAuth 2.0, better suited for modern applications and mobile use cases.