What Is SAML: Definition And How It Works

What Is SAML: Definition And How It Works
Image credits: CAST Highlights

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. It is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions).

It is also:

  • A set of XML-based protocol messages
  • A set of protocol message bindings
  • A set of profiles (utilizing all of the above)

An important use case that SAML addresses is web-browser single sign-on (SSO). Single sign-on is relatively easy to accomplish within a security domain (using cookies, for example) but extending SSO across security domains is more difficult and resulted in the proliferation of non-interoperable proprietary technologies.

The SAML Web Browser SSO profile was specified and standardized to promote interoperability.

The Organization for the Advancement of Structured Information Standards (OASIS) manages the SAML protocol. SAML 2.0, the current version, was published as an OASIS standard in 2005.

Understanding SAML

In computing and networking, one of the major challenges is getting systems and devices built by different vendors for different purposes to work together. This is called “interoperability”: the ability for different machines to interact with each other, despite their differing technical specifications. SAML is an interoperable standard — it is a widely accepted way to communicate a user’s identity to cloud service providers.

Security Assertion Markup Language (SAML) is an open standard for sharing security information about identity, authentication and authorization across different systems. SAML is implemented with the Extensible Markup Language (XML) standard for sharing data. It provides a framework for implementing single sign-on (SSO) and other federated identity systems.

A federated identity system links an individual identity to multiple identity domains.

This approach enables SSO that encompasses resources on an enterprise network, trusted third-party vendors, and customer networks.

SAML is an important component of SSO systems that enable users to access multiple applications, services or websites from a single login process. Identity and authentication levels are shared across different systems and services using the SAML protocol to request, receive and format that data.

What is single sign-on (SSO)?

Single sign-on (SSO) is a way for users to be authenticated for multiple applications and services at once. With SSO, a user signs in at a single login screen and can then use some apps. Users do not need to confirm their identity with every single service they use.

For this to take place, the SSO system must communicate with every external app to tell them that the user is signed in. This is where SAML comes into play.

Difference between SAML and SSO

SAML is a platform for requesting authentication. Its most common use is to enable SSO. Some products that implement SSO services using SAML include the following:

  • Microsoft Azure AD
  • Citrix Workspace
  • Entrust Identity
  • VMware vSphere

SSOs implement federated identity management to enable multiple domains to authenticate users using one set of credentials. SSO can use SAML protocols to exchange authentication information, or it can use some other protocol, like OpenID, to manage cross-domain authentication.

How does SAML work?

A typical SSO authentication process involves these three parties:

  • Principal/subject: This is almost always a human user who is trying to access a cloud-hosted application.
  • Identity provider: An identity provider (IdP) is a cloud software service that stores and confirms user identity, typically through a login process. Essentially, an IdP’s role is to say, “I know this person, and here is what they are allowed to do.” An SSO system may be separate from the IdP, but in those cases, the SSO essentially acts as a representative for the IdP, so they are the same in a workflow.
  • Service provider: This is the cloud-hosted application or service the user wants to use. Common examples include cloud email platforms such as Gmail and Microsoft Office 365, cloud storage services such as Google Drive and AWS S3, and communications apps such as Slack and Skype. Ordinarily, a user would just log in to these services directly, but when SSO is used, the user logs into the SSO instead, and SAML is used to give them access instead of a direct login.

This is what a typical flow might look like:

The principal sends a request to the service provider, who then requests authentication from the identity provider. The identity provider sends a SAML assertion to the service provider, and the service provider can then send a response to the principal.

If the principal (the user) was not already logged in, the identity provider may prompt them to log in before sending an assertion.

SAML components

It incorporates four different types of components:

SAML assertions

These are statements of identity, authentication and authorization information. They are formatted using XML tags specified in SAML.

According to the core protocol specification, an assertion is a unit of information that supplies zero or more statements made by a SAML authority. Authorities are any system that generates SAML authentication assertions. The identity providers are examples of these authorities.

SAML specifies three types of assertions:

  1. An authentication assertion indicates that the subject of the assertion has been authenticated. It includes the time and method of authentication, as well as the subject being authenticated.
  2. An attribute assertion associates the subject of the assertion with the specified attributes. A specified attribute refers to a defined piece of information relating to the authentication subject.
  3. An authorization decision assertion indicates whether a subject’s request to access a resource has been approved or declined.

SAML protocols

These define how different entities request and respond to requests for security information. Like assertions, these protocols are encoded with XML tags specified in SAML.

SAML defines its own generalized protocols for request/response interactions between systems and the entities that can be authenticated — either principals or subjects. SAML 2.0 protocols include the following:

  • Authentication Request Protocol defines requests for authentication assertions and valid responses to such requests. This protocol is used when a request sent from a user to a service provider needs to be redirected to an identity provider.
  • Single Logout Protocol defines a technique in which all of a user’s active sessions can be terminated nearly simultaneously. This capability is important for SSO implementations that require terminating sessions with multiple resources when the user logs out.
  • Assertion Query and Request Protocol defines requests for new and existing authentication assertions.
  • Artifact Resolution Protocol defines how to request and transmit protocol messages using an identifying value or artifact. This approach simplifies the exchange of specific protocol messages.
  • Name Identifier Management Protocol defines a mechanism for an identity provider to manage its name by changing the name identifier and the format of the name identifier or to notify other entities that a name identifier has been terminated.
  • Name Identifier Mapping Protocol defines a mechanism for mapping a user identifier across different service providers.

These request/response protocols are defined as part of SAML to enable systems to request authentication, respond to authentication requests and exchange assertions. These protocols are independent of the networking protocols that SAML messages are bound to for network transport.

SAML bindings

These are the formats specified for protocol messages to be embedded and transported over different transmission mechanisms. SAML depends on several other protocols that are used to format and exchange requests and responses. These include the following:

  • XML defines how messages are formatted.
  • Hypertext Transfer Protocol (HTTP) is the protocol SAML uses to exchange messages.
  • SOAP — originally standing for Simple Object Access Protocol, though that meaning has dropped off — is the protocol used to encapsulate messages.

SAML bindings define how protocol messages are transmitted. They use the transport protocols that enable communication between entities. SAML 2.0 defines the following bindings:

  • HTTP Redirect Binding defines a format for exchanging SAML authentication messages in HTTP redirect messages.
  • HTTP POST Binding defines a format for exchanging SAML authentication messages in HTML forms.
  • HTTP Artifact Binding defines a format for exchanging SAML artifacts in HTML forms or in a string added to a URL.
  • SAML SOAP Binding defines a format for exchanging SAML authentication messages in SOAP messages.
  • Reverse SOAP (PAOS) Binding defines a mechanism for a web browser client to respond to SAML messages that are encoded in SOAP messages. It is sometimes referred to as PAOS, which is SOAP in reverse.
  • SAML URI Binding defines a mechanism for retrieving a SAML assertion using a Uniform Resource Identifier.

The bindings enable authenticating systems to exchange assertions and requests using widely supported protocols.

SAML profiles

These determine how assertions, protocols and bindings are used together for interoperability in certain applications. A SAML profile consists of assertions, protocols and bindings. The profiles are used to define specific applications.

Profiles defined for SAML 2.0 include the following:

  • Web browser SSO profile defines how SAML is used to implement SSO on web browsers.
  • Enhanced client and proxy profile specifies how specialized clients or gateway proxies operate using SOAP or PAOS bindings.
  • Identity provider discovery profile defines a technique to give service providers access to identity providers a user previously visited.
  • Single logout profile shows how the Single Logout Protocol works with bindings.
  • Assertion query/request profile specifies how SAML entities receive assertions over a synchronous binding like SOAP.
  • Artifact resolution profile defines how SAML artifacts are exchanged over specific protocols.
  • Name identifier management profile defines how SAML Name Identifier Management Protocol works over specific protocols.
  • Name identifier mapping profile defines how SAML Name Identifier Mapping Protocol works over specific protocols.

These profiles can be configured to enable an SSO deployment.

What is SAML used for?

Organizations use SAML both for business-to-business and business-to-consumer applications. It is used to share user credentials across one or more networked systems. The SAML framework is designed to accomplish two things:

  1. user authentication
  2. user authorization

SAML is most often used to implement SSO authentication systems that enable end users to log in to their networks once and be authorized to access multiple resources on that network. For example, SSO implemented with Microsoft Active Directory (AD) can be integrated with SAML 2.0 authentication requests.

Authentication is the process of determining whether an entity is what it claims to be. It is required before authorization, which is the process of determining whether the authenticated identity has permission to use a resource.

SAML authentication depends on verifying user credentials, which, at a minimum, include user identity and password. SAML can also enable support for multifactor authentication.

Is SAML authentication the same thing as user authorization?

SAML is a technology for user authentication, not user authorization, and this is a key distinction. User authorization is a separate area of identity and access management.

  • Authentication refers to a user’s identity: who they are and whether their identity has been confirmed by a login process.
  • Authorization refers to a user’s privileges or permissions: specifically, what actions they are allowed to perform within a company’s systems.

Access management technologies handle user authorization. Access management platforms use several different authorization standards (one of which is OAuth), but not SAML.


Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like