What Is SAML and How Does It Work?
SAML stands for Security Assertion Markup Language, an open standard that passes authorization credentials from identity providers (IdPs) to service providers (SPs). Put simply, it enables secure communication between applications and allows users to gain access with a single set of credentials.
Before we can dive too deeply into what SAML is used for, how SAML works, and the ways businesses can benefit from it, you need to understand the types of SAML providers that help make this process possible. So let’s start there.
Types of SAML providers
In order for SAML to work, there needs to be an identity provider and a service provider:
- Identity providers authenticate users: These systems are responsible for confirming that a user is who they say are, and then sending that data (and the user’s access rights) to a service provider. Okta, Microsoft Active Directory (AD), and Microsoft Azure are all examples of identity providers.
- Service providers authorize users: These systems use the authentication data from an identity provider to grant access to a service. Examples include Salesforce, Box, and other best-of-breed technology.
SAML, therefore, is the link between the authentication of a user’s identity and the authorization to use a service. It’s the language that helps IdPs and SPs communicate. When an employer (the IdP) and a SaaS company (the SP) both implement SAML, they are able to seamlessly authenticate accredited users.
What is SAML used for?
SAML completely changes how users sign in to services or websites, and is intended to simplify federated authentication and authorization processes for all parties: identity providers, services providers, and end users.
Instead of requesting credentials such as a username and password for every login attempt, SAML can help verify that a user is who they say they are and confirm permission levels to either grant or deny access. In addition, SAML allows identity providers and service providers to exist separately, which helps organizations to centralize user management—and provide access to various software solutions.
SAML is most frequently used to enable single sign-on (SSO), which authenticates accredited users between an identity provider and a service provider. Organizations that deploy SAML-configured applications, for example, can enable their employees to use just one set of credentials to log in to a single dashboard that gives them direct access to all of their productivity and communication tools.
How SAML works
SAML uses Extensible Markup Language (XML) to communicate between the identity provider and service provider. This takes the form of a SAML assertion, a type of XML document that an identity provider sends to a service provider to authorize a user.
There are three types of SAML assertions:
- Authentication assertions prove a user’s identity, and provide the time that they logged in as well as the authentication protocol they used (e.g., Kerberos, multi-factor authentication).
- Attribution assertions pass SAML attributes—the pieces of data that provide information about the user—to the service provider.
- Authorization assertions confirm whether the user is authorized to use a service—and what degree of authorization they have—or if the identity provider denied their request due to a password failure or lack of access rights.
To recap, SAML works by passing information about users, their logins, and their attributes between an identity provider and a service provider. When a user logs in using SSO, for example, the IdP will pass SAML attributes to the SP—ensuring the user only needs to log in once.
Let’s look at how this might play out in everyday life. When a user begins working at a new company, they receive an email address and access to a dashboard. When they sign in to that dashboard using an identity provider (like Okta), they are presented with icons of external service providers, such as Slack or Salesforce. They can then click on any of these icons and be automatically signed in to that service without needing to re-enter their credentials.
That said, there are actually two types of SAML flows that users may go through to access websites, applications, and online services:
Service provider-initiated SAML flow
This occurs when a user attempts to sign in to a SAML-enabled service via its login page or mobile app. Rather than asking the user to log in, the service redirects the user to their identity provider to handle the authentication. If their identity is confirmed, they will be granted access to the site or app.
Identity provider-initiated SAML flow
This flow occurs when a user logs in to the identity provider and launches a service application from their database. If they already have an account with the service provider, they will automatically gain access. If not, then some identity providers can use SAML to create a new, authenticated account for that service.
Benefits of SAML
SAML offers many benefits for users and businesses alike, not least of which is reducing the friction of using multiple web apps. Other advantages include:
Improved user experiences
Not only does SAML make it easier to log in to applications and services, but it also helps users be more productive because they can readily access the tools they need to get their jobs done.
Fewer lost credentials
Having to juggle multiple logins often leads people to forget their passwords—or worse, write them down, which increases the risk of those credentials being stolen. With SAML, users only need to know one username and password combination.
SAML provides a single point of authentication at a secure identity provider, which then transfers the user’s identity information to service providers. This ensures that credentials are only sent directly, minimizing opportunities for phishing or identity theft.
Implementing SAML saves significant amounts of admin time, as it helps to eliminate the need for ticket submissions and password resets. It also helps to keep development costs (often associated with proprietary authentication methods) to a minimum.
Simplified user management
With employees using multiple applications, it can become a nightmare for IT departments to manage access rights as roles change or as employees leave the company. SAML simplifies this as each user can be managed from a single directory.
Alternatives to SAML
While SAML offers a number of benefits in terms of identity federation, there are alternative standards available that help businesses and services to securely manage and approve user identities.
OpenID: OpenID is an open source identity standard that enables users to access multiple websites and apps without sharing additional sign-in information. If you’ve ever logged in to a website using your Google, YouTube, or Facebook credentials, you’ve experienced OpenID.
OAuth: OAuth (or OpenAuth, if you want to use the full name) is a standard that was jointly developed by Google and Twitter to enable streamlined logins between websites. It’s similar to SAML in how it shares information between applications (Facebook and Google are two OAuth providers that you’ve likely used before). However, it differs by using JSON tokens to authenticate users, and as a result, is more appropriate for mobile.
Web Service Federation: Web Services Federation is used to federate authentication from service providers to identity providers. It is commonly seen as being simpler for developers to implement and is well supported by popular identity providers, such as AD, but less so with cloud providers.
Getting started with SAML
SAML is a vital part of any cyber security strategy as it limits credential usage and enables businesses to audit and manage identity centrally. In addition, it gives users easy access to the web apps they demand—in a way that also enhances security.
Getting started with SAML is simple with the right identity provider. Okta, for example, provides an SAML validation tool as well as various open source SAML toolkits in different programming languages.
To get a better picture of how SAML can benefit organizations and employees, check out the following resources: