The Secret Security Wiki


Security Assertion Markup Language

What is SAML?

The SAML protocol, or “Security Assertion Markup Language” as it’s less commonly known, is one of the most common web protocols around, used by almost all internet users on a daily basis for easily logging on to websites and online services.

The protocol was first released by the Organization for the Advancement of Structured Information Standards (OASIS) in 2002. Until then, most businesses depended on local, “on-premises” systems and applications. The online aspect of doing business was mostly limited to sending and receiving emails, reading news, and researching databases. But then web-based applications started to emerge, offering lightweight and cheap software to anyone, everywhere. And organizations were obviously happy to adopt these massively impactful tools for productivity and collaboration which until then were only in the reach of large and rich enterprises.

But in order to allow employees to use the new tools, administrators had to make sure online services can recognize their users in a secure, scalable and manageable way. With most companies then (and arguably now as well) using Active Directory as their identity and access management solution, admins needed a universal solution to connect their domain to the world wide web.

The solution was SAML – a universal protocol intended to close the gap between the local domain and any web service that needs to know users’ identities or organizational associations.

The Benefits of SAML 

Today SAML allows for easy and fast login to almost all web and cloud service and is supported by all identity providers and access management systems. In most cases nowadays, this is done by using a Single Sign-On (SSO) scheme that requires a single authentication by the user to access all connected services. This standard has significant advantages over logging in with a username and password to each service separately as each additional password adds friction to users’ journeys and puts them at greater risk of being hacked or simply forgetting their passwords.

Thanks to SAML there’s no need to type in credentials at every login, remember and renew passwords on a regular basis or being tempted to use weak or repeating passwords.

Most organizations manage very well their users identities because they are logged in to their Active Directory domain or intranet, even from afar, and so supplying SSOs using SAML saves time, money and risk for all parties.

How Does it Work?

SAML is an open standard, which means it’s available to anyone for research or implementation. It is an XML-based framework that exchanges digitally signed XML files between the identity provider and the accessed service.

Once users are logged into their identity provider, SAML gives them the ability to easily enter any supporting service without further authentication. The application typically identifies the relevant IdP based on a subdomain, IP address or similar factor, and redirects the session to the IdP requesting authentication approval. The identity provider then builds an authentication response – an XML document containing the users identifying data – and signs it using an X.509 certificate. This response is then sent back to the requesting service provider, which only needs to verify the authenticity of the IdP certificate (by checking the IdP certificate fingerprint) and from that point, the user’s identity is established.

SAML makes single sign-on possible for consumers and employees alike, streamlining authentication for most web-based use cases.

passwords are a vulnerability whitepaper

  • What is SAML authentication?

    SAML authentication is when a service provider (SP) redirects an access-requesting user to a trusted identity provider (IdP) in order to authenticate. Once authenticated, the IdP provides a SAML assertion that the SP can use to provide user-access to its service.

  • What is SAML 2.0?

    SAML 2.0 is an open standard that defines an XML-based framework for exchanging authentication and authorization information between an identity provider (IdP) and a Service Provider (SP), to enable web-based single sign-on (SSO) and identity federation. SAML 2.0 replaces SAML 1.1.

  • How does SAML work?

    In a typical SAML authentication scenario, a user requests access to a service. The service provider redirects the user to a trusted identity provider that authenticates the user and produces a SAML assertion that the user can present to the service provider. Based on the presented assertion, the service provider will determine user permissions to use its service.

  • What are the differences between SAML and SAML 2.0?

    SAML 2.0 replaces SAML 1.x. SAML 2.0 is incompatible with SAML 1.x.