The Security Assertion Markup Language (SAML) is an open standard for sharing security information about identity, authentication and authorization across different systems. SAML is implemented with the Extensible Markup Language (XML) standard for sharing data, and SAML provides a framework for implementing single sign-on (SSO) and other federated identity systems.
The SAML protocol is managed by the Organization for the Advancement of Structured Information Standards (OASIS), which wrote that "SAML allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject (an entity that is often a human user) to other entities, such as a partner company or another enterprise application."
SAML is an important component of many SSO systems that allow users to access multiple applications, services or websites from a single login process. Identity and authentication levels are shared across different systems and services using the SAML protocol to request, receive and format that data. Organizations use SAML both for business-to-business (B2B) and business-to-consumer (B2C) applications.
What is SAML used for?
Authentication is the process of determining whether an entity is who it claims to be, and it is required before authorization, which is the process of determining whether the authenticated identity actually has permission -- authorization -- to use a resource.
SAML defines two broad categories of entities: end users and service providers. An end user is a person who needs to be authenticated before being allowed to use an application. A service provider is any system that provides services, typically the services for which users seek authenticated, including web or enterprise applications. A special type of service provider, the identity provider, administers identity information.
While SAML defines the markup language used to standardize the encoding of authentication data for exchange between systems, SAML is also understood to include all the associated protocols and bindings that use SAML-compliant messages to exchange security assertions among end users, service providers and identity providers.
SAML consists of three sets of components: assertions, protocols and bindings. Assertions -- the statements of identity, authentication and authorization information -- as well as protocol messages, are all XML-formatted using the SAML specification. SAML protocols define how different entities request and respond to requests for security information.
SAML bindings are the formats specified for SAML protocol messages to be embedded and transported over different transmission mechanisms. For example, SAML requests can be bound to interactions using different application protocols, including Simple Object Access Protocol (SOAP), Hypertext Transfer Protocol, Simple Mail Transfer Protocol, file transfer protocol, Biztalk and Electronic Business XML (ebXML).
According to the SAML core protocol specification, a SAML assertion is "a package of data that supplies zero or more statements made by a SAML authority."
SAML specifies three types of elements of assertions: authentication, attribute and authorization decision.
An authentication assertion indicates that the subject of the assertion has been authenticated, and it includes the time and method of authentication, as well as the subject being authenticated.
An attribute assertion associates the subject of the assertion with the specified attributes -- a SAML attribute refers to a defined piece of information relating to the authentication subject.
An authorization decision assertion indicates whether a request to access a resource by the subject has been approved or declined.
How does SAML work
SSO applications use SAML to move information about user identities from an identity provider to a service provider. SAML authenticates end users who are logged in to a primary service provider to another service provider. For example, an enterprise user logged in to their primary SSO work network can be authenticated to a third-party cloud application provider through SAML rather than being required to log in separately to the cloud application.
In this example, the primary SSO system acts as the identity provider, and the cloud application acts as the service provider. When an end user, already logged in to the identity provider, attempts to open the cloud application, the cloud application identifies the end user and points the user -- or the user's browser or other client software -- back to the identity provider to be authenticated.
A typical SAML authentication process for authentication works this way:
- The end user initiates a session with an identity or SSO provider by logging in and being authenticated.
- The end user initiates a session with a service provider -- cloud application or other third-party application -- which is configured to do authentication via SSO.
- The service provider requests authentication information about that specific user from the end user's identity provider.
- The identity provider responds to the SAML request with a SAML formatted, digitally signed response that identifies the end user and may include further information indicating that the user is -- or is not -- authenticated and authorized -- or not -- to access restricted resources.
- The service provider validates the response from the identity provider and authenticates the end user to give them access to restricted resources.
- The end user accesses the service provider's content or application.
Requests and responses to those requests must conform to the SAML protocols for exchanging information, with SAML data being formatted as assertions.