What is SAML and How Does It Work?

What is SAML and How Does It Work?
What is SAML and How Does It Work?

SAML, which stands for Security Assertion Markup Language, is important for enterprise organization team members to have an understanding of. One reason for this is because SAML addresses Single-Sign-On (SSO) across services so that members of an enterprise organization have an easy, simple login experience.

SSO has value for users and for the enterprise itself. With SSO, users don’t have to remember different passwords for varying applications, and they can spend time on strategic work as opposed to signing onto the different applications they use in their workday.

It’s also easier with SSO to revoke privileges if an employee leaves the company rather than having to go through each individual account the employee had access to.

The following highlights what SAML is and how it works.

What Is SAML?

SAML is an open standard that lets identify providers bypass credentials for authorization to service providers. Basically, what it means is you have one set of login credentials, and you can get into many different applications or websites with them.

These transactions use something called Extensible Markup Language or XML. SAML provides the link between authenticating the identity of a user and the authorization allowing them to use a service.

SAML was created by OASIS in 2002. OASIS stands for the Organization for the Advancement of Structured Information Standards.

A SAML provider is typically a server or another computer. Systems that use SAML services or provide them are called service providers, and within that category more specifically there is an identity provider.

An identity provider is within a system, and it’s what provides the authentication to show a user is who they claim to be.

How Does SAML Work?

If there’s a web application that a user wants to access, they visit through an agent, which is usually the web browser. Then, the agent tries to get access for the person to log into the app.

Login is redirected through a browser to request verification of a user’s identity. Users enter their credentials, and when they’re verified an XML-based certificate is generated.

SAML providers fall into one of two categories—the service provider and the identity provider.

The service provider requires authentication from the identity provider for authorization to be provided.

There are three components that make-up SAML. These are called assertions, protocols, and bindings. Assertions are identity, authentication and authorization information. Protocols are the definitions of how requests and responses occur for security information. Bindings are the formats for SAML protocol messages so they can be embedded and transmitted.

What Are the Benefits of This Type of Authentication?

The SAML authentication approach has certain benefits.

First, is the fact that it’s a standard format that lets systems communicate and operate with one another. This addresses the common issue of architecture specific to a platform. SAML authentication improves user experience because it lets users seamlessly access multiple providers with just one sign-in. It’s faster and easier and eliminates the need for things like resetting and recovering passwords.

SAML is a single point of authentication, so it’s an important part of security for enterprise applications.

With the SAML form of authentication, credentials don’t go beyond the firewall of the enterprise.

There are lower costs for service providers with SAML too. You don’t have to maintain information across multiple services, and instead, this falls onto the shoulders of the identity provider.

SAML vs. OAuth

SAML is often compared to the newer OAuth option. OAuth is a standard for authorization, but it doesn’t have anything to do with authentication.

With OAuth, there isn’t the assumption that the client is a web browser. With this option, the user chooses to log into a file sharing service. That’s the Resource User. The Resource Server then provides an Authorization Grant to the client and redirects to the Authorization Server. The client requests an Access Token and logs into the Authorization Server. If the code is valid, the client receives an Access Token.

OAuth was developed by Google and Twitter, and it’s newer than SAML. One of the reasons it was developed was to address gaps left by SAML on mobile platforms.

SAML was designed primarily for use on the open web, and OAuth is meant for internet-scale.

What does this all mean? Essentially both SSO and SAML are critical components of an enterprise-level strategy for cybersecurity. Anyone with a role in enterprise cybersecurity planning may need to have an understanding of both SAML and SSO.

This is an article provided by our partners network. It does not reflect the views or opinions of our editorial team and management.

Contributed content