š What is SAML?
Definition:
SAML (Security Assertion Markup Language) is an open standard for Single Sign-On (SSO) that allows identity providers (IdPs) to securely pass authentication and authorization data to service providers (SPs).
In simple terms:
SAML lets users log in once and access multiple web applications using their organizationās credentials ā without needing separate usernames and passwords.
š§© SAML Key Concepts
| Term | Description | Example |
|---|---|---|
| User / Principal | The person trying to access an app | Employee āAliceā |
| Identity Provider (IdP) | Authenticates the user and issues identity data | Okta, Azure AD, Google Workspace |
| Service Provider (SP) | The application the user wants to access | Salesforce, Zoom, Slack |
| Assertion | A message (in XML) sent by the IdP to confirm the userās identity | āAlice has been authenticatedā |
āļø How SAML Works (Step-by-Step Flow)
Letās walk through an example:
Scenario:
Alice wants to access Salesforce, which uses Okta as the SSO provider.
Flow:
- User Accesses the App (SP-Initiated)
- Alice goes to
salesforce.com. - Salesforce sees sheās not logged in and redirects her to the IdP (Okta).
- Alice goes to
- IdP Authenticates the User
- Okta asks Alice to log in (username, password, MFA, etc.).
- Once verified, Okta creates a SAML Assertion ā an XML document stating āAlice is authenticated.ā
- Assertion Sent to the Service Provider
- Okta sends the signed SAML Assertion back to Salesforce via the userās browser.
- The assertion includes user details (like email, roles, and session info).
- Service Provider Grants Access
- Salesforce validates the SAML Assertion using Oktaās public key.
- Alice is now logged in to Salesforce without needing a separate password.
š§ SAML Message Types
- Authentication Request:
Sent from SP ā IdP (asking for user authentication). - SAML Assertion:
Sent from IdP ā SP (contains authentication and authorization info). - Response:
The overall XML message that wraps the assertion.
š§¾ Example of a Simplified SAML Assertion (XML)
<saml:Assertion>
<saml:Subject>
<saml:NameID>alice@company.com</saml:NameID>
</saml:Subject>
<saml:AttributeStatement>
<saml:Attribute Name="Role">Manager</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthnStatement AuthnInstant="2025-10-09T10:00:00Z" />
</saml:Assertion>
This tells the Service Provider that āAlice (alice@company.com) authenticated at 10:00 AM and has the role of Manager.ā
ā Benefits of SAML
| Benefit | Description |
|---|---|
| š Stronger Security | Authentication handled by a trusted IdP; no need to store passwords on each app. |
| š¤ Single Sign-On (SSO) | Users log in once to access many apps. |
| š§© Centralized Identity Management | Easier to add/remove users in one place. |
| š Audit and Compliance | All authentication events logged by IdP. |
ā ļø Limitations
| Limitation | Description |
|---|---|
| šļø Complex Setup | Requires XML configuration and certificate exchange. |
| š Web-Centric | Best suited for browser-based (not mobile) apps. |
| š§± Heavy XML Format | More verbose compared to modern JSON-based standards like OIDC. |
š SAML vs OAuth 2.0 vs OpenID Connect
| Feature | SAML | OAuth 2.0 | OpenID Connect (OIDC) |
|---|---|---|---|
| Purpose | Authentication & SSO | Authorization (access delegation) | Authentication (modern SSO) |
| Format | XML | JSON | JSON |
| Common Use | Enterprise web apps | API access (mobile/web apps) | Consumer SSO (Google, Facebook login) |
| Example | Logging into Salesforce via Okta | A third-party app accessing your Google Drive | Logging into Reddit using Google |
š§± Real-World Example
- A company uses Azure AD as the IdP and Salesforce, ServiceNow, and Workday as SPs.
- Employees sign in once to Azure AD ā gain access to all these apps automatically using SAML SSO.
