What is SAML and How Does it Work? (2024)

Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). What that jargon means is that you can use one set of credentials to log into many different websites. It’s much simpler to manage one login per user than it is to manage separate logins to email, customer relationship management (CRM) software, Active Directory, etc.

SAML transactions use Extensible Markup Language (XML) for standardized communications between the identity provider and service providers. SAML is the link between the authentication of a user’s identity and the authorization to use a service.

Get the Free Pentesting Active
Directory Environments e-book

The OASIS Consortium approved SAML 2.0 in 2005. The standard changed significantly from 1.1, so much so that the versions are incompatible. SAML adoption allows IT shops to use software as a service (SaaS) solutions while maintaining a secure federated identity management system.

SAML enables Single-Sign On (SSO), a term that means users can log in once, and those same credentials can be reused to log into other service providers.

What is SAML Used For?

SAML simplifies federated authentication and authorization processes for users, Identity providers, and service providers. SAML provides a solution to allow your identity provider and service providers to exist separately from each other, which centralizes user management and provides access to SaaS solutions.

SAML implements a secure method of passing user authentications and authorizations between the identity provider and service providers. When a user logs into a SAML enabled application, the service provider requests authorization from the appropriate identity provider. The identity provider authenticates the user’s credentials and then returns the authorization for the user to the service provider, and the user is now able to use the application.

SAML authentication is the process of verifying the user’s identity and credentials (password, two-factor authentication, etc.). SAML authorization tells the service provider what access to grant the authenticated user.

What is a SAML Provider?

A SAML provider is a system that helps a user access a service they need. There are two primary types of SAML providers, service provider, and identity provider.

A service provider needs the authentication from the identity provider to grant authorization to the user.

An identity provider performs the authentication that the end user is who they say they are and sends that data to the service provider along with the user’s access rights for the service.

Microsoft Active Directory or Azure are common identity providers. Salesforce and other CRM solutions are usually service providers, in that they depend on an identity provider for user authentication.

What is a SAML Assertion?

A SAML Assertion is the XML document that the identity provider sends to the service provider that contains the user authorization. There are three different types of SAML Assertions – authentication, attribute, and authorization decision.

  • Authentication assertions prove identification of the user and provide the time the user logged in and what method of authentication they used (I.e., Kerberos, 2 factor, etc.)
  • The attribution assertion passes the SAML attributes to the service provider – SAML attributes are specific pieces of data that provide information about the user.
  • An authorization decision assertion says if the user is authorized to use the service or if the identify provider denied their request due to a password failure or lack of rights to the service.

How Does SAML Work?

SAML works by passing information about users, logins, and attributes between the identity provider and service providers. Each user logs in once to Single Sign On with the identify provider, and then the identify provider can pass SAML attributes to the service provider when the user attempts to access those services. The service provider requests the authorization and authentication from the identify provider. Since both of those systems speak the same language – SAML – the user only needs to log in once.

Each identity provider and service provider need to agree upon the configuration for SAML. Both ends need to have the exact configuration for the SAML authentication to work.

SAML Example

  1. Frodo (user) logs into SSO first thing in the morning.
  2. Frodo then tries to open the webpage to his CRM.
  3. The CRM – the service provider – checks Frodo’s credentials with the identity provider.
  4. The identity provider sends authorization and authentication messages back to the service provider, which allows Frodo to log into the CRM.
  5. Frodo can use the CRM and get work done.
    “Need 8 volunteers for a tough project…”

SAML vs. OAuth

OAuth is a slightly newer standard that was co-developed by Google and Twitter to enable streamlined internet logins. OAuth uses a similar methodology as SAML to share login information. SAML provides more control to enterprises to keep their SSO logins more secure, whereas OAuth is better on mobile and uses JSON.

Facebook and Google are two OAuth providers that you might use to log into other internet sites.

SAML Tutorials

A few resources to help research exactly how to implement SAML:

SAML and SSO are important to any enterprise cybersecurity strategy. Identity management best practices require user accounts to be both limited to only the resources the user needs to do their job and to be audited and managed centrally. By using an SSO solution, you can disable accounts from one system and remove access to all available resources at once, which protects your data from theft.

Varonis protects your core Active Directory services, which in turn helps protect your SSO and SAML systems. Varonis will catch attacks to your AD system long before the attackers can access SSO resources. Get a 1:1 demo to see how Varonis protects Active Directory and your most important data stores from cyberattacks and insider threats.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

What is SAML and How Does it Work? (3)

Michael Buckbee

Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.

What is SAML and How Does it Work? (2024)


What is SAML and How Does it Work? ›

Security Assertion Markup Language, or SAML, is a standardized way to tell external applications and services that a user is who they say they are. SAML makes single sign-on (SSO) technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications.

What is the difference between SSO and SAML? ›

Security Assertion Mark-up Language (SAML) is an authentication standard that allows for federated identity management and can support single sign-on (SSO). SSO is an authentication scheme that allows a user to log in with a single ID and password to any independent or federated software systems.

What is SAML and why is it used? ›

SAML is an acronym used to describe the Security Assertion Markup Language (SAML). Its primary role in online security is that it enables you to access multiple web applications using one set of login credentials.

Is SAML the same as Active Directory? ›

SAML is just an XML vocabulary. It has no functionality such as being able to connect to AD and search for users. That's what the Identity Provider (IdP) does. The IdP connects to AD, usually via LDAP, queries the attributes for a user and converts them to SAML format.

What is the difference between SAML and SSL? ›

For SSL, the certificate file is used to encrypt traffic. For SAML, the certificate is used for authentication.

Is OAuth better than SAML? ›

While SAML is better to secure information, it makes sense to use OAuth when user experience is a priority, for example, on mobile devices or for quick logins and temporary access.

How is SAML related to SSO? ›

SAML is the technical standard used by SSO providers to communicate that a user is authenticated.

What are the disadvantages of SAML? ›

SAML is a complex protocol that comes with several drawbacks and limitations. It requires a lot of configuration and coordination between the IdP and the SP, as well as XML parsing, encryption, signing, and validation. Debugging and troubleshooting can be difficult when dealing with multiple IdPs or SPs.

Which is better LDAP or SAML? ›

It excels at on-premise authentication: LDAP is specifically designed to be great at on-premise authentication where a directory service is present, as opposed to SAML which is better-equipped to handle a wider array of cloud-based authentication options.

Does SAML require LDAP? ›

Yes. SAML acts as a communicator that sends assertion data between the SP and IdP to authenticate a user. LDAP, however, is considered an authority that actually does the validation. In that sense, LDAP servers can support SAML protocol by acting as the IdP and authority system.

Is SAML obsolete? ›

SAML 2.0 was introduced in 2005 and remains the current version of the standard. The previous version, 1.1, is now largely deprecated.

Does SAML require HTTPS? ›

HTTPS is required by default to configure SAML. As the SAML protocol is browser based both the product and the Identity Provider must use HTTPS (rather than HTTP), to prevent man-in-the-middle attacks and capturing XML documents with SAML assertions.

Is SAML only used for SSO? ›

SAML (Security Assertion Markup Language) is merely one security protocol used for exchanging authentication and authorization data. In contrast, SSO is a broader term for a type of authentication process that enables users to access multiple services with a single login, of which SAML can be a facilitating component.

What is the difference between SSO and SAML and SCIM? ›

SAML is one way to implement Enterprise SSO. SCIM is a common addition to SAML which allows employers to automatically de-provision accounts simultaneously from all the products they use.

Does Microsoft SSO use SAML? ›

Microsoft Entra ID creates the signing certificates to establish SAML-based federated SSO to your SaaS applications. Once you add either gallery or non-gallery applications, you'll configure the added application using the federated SSO option. See Manage certificates for federated single sign-on in Microsoft Entra ID.

Does Google use SAML for SSO? ›

Google offers a SAML-based SSO service that allows partner companies to authorize and authenticate hosted users who are trying to access secure content. Google acts as the online service provider and provides services, such as Google Calendar and Gmail.

Top Articles
Latest Posts
Article information

Author: Terrell Hackett

Last Updated:

Views: 6578

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Terrell Hackett

Birthday: 1992-03-17

Address: Suite 453 459 Gibson Squares, East Adriane, AK 71925-5692

Phone: +21811810803470

Job: Chief Representative

Hobby: Board games, Rock climbing, Ghost hunting, Origami, Kabaddi, Mushroom hunting, Gaming

Introduction: My name is Terrell Hackett, I am a gleaming, brainy, courageous, helpful, healthy, cooperative, graceful person who loves writing and wants to share my knowledge and understanding with you.