What Is SAML Authentication?

User authentication is a critically important cybersecurity process. Indeed, the ability to verify the identity of a user is a root control in most cybersecurity frameworks‌ — ‌and for good reason. If you can’t enforce which users are able to access your systems and data, you’re going to have a lot of trouble with malicious actors.

Inside an organization, authentication is relatively simple. If a user logs in with credentials that match those on record, authentication can proceed with additional steps such as multi-factor authentication (MFA) which is often necessary to provide further proof of identity.

Where things can get complicated, however, is when a user wants to access an external application, or an external user wants to access your systems. If the user is‌ a machine or an app-to-app interoperability use case, authentication gets even harder to address. You often want to enable users to authenticate themselves once before granting access to multiple applications in a single sign‌-on (SSO) scenario.

This is where Security Assertion Markup Language (SAML) has a role to play. The key word in SAML is “assertion.” SAML offers a standardized way for a user (human or machine) to assert a verifiable identity. It’s like a digital passport.

SAML is an open standard based on the extensible markup language (XML). A SAML assertion transfers the user’s identity data between two entities: the identity provider (IdP) and the service provider (SP). The IdP authenticates the user and passes their identity information to the SP. The SP, in turn, trusts the IdP and grants the user the level of access they have requested. This process is typically transparent to the user. For example, once you have logged into your corporate network, you might log into a SaaS application. However, you’re allowed access without entering your credentials. That’s SAML at work.

SAML assertions are messages that contain the information an SP needs to confirm the identity of the user. It tells the provider that the user has signed in, sharing the assertion’s source, its time of issuance, and other data points that confirm the user’s identity. The service provider can accept or reject the user’s access request based on the contents of the SAML assertion.

The interactions between the user, the IdP, and the SP follow this general flow:

1. The user needs access to the SP. They’ll use the IdP for authentication through SAML.
2. The user starts to log in to the SP through their browser.
3. The SP generates a SAML request.
4. The browser receives the SAML request and directs the user to the IdP’s SSO URL.
5. The IdP parses the SAML and authenticates the user.
6. The IdP generates a SAML assertion and sends it to the browser, which forwards it to the SP for verification.
7. Upon verification, the user gets to log into the SP. (If the verification fails, the user is denied access.)

SAML offers many benefits to system owners, security managers, and end users. The user experience is usually streamlined with a single login page. With SAML, users only have to sign in once to access multiple service providers. The whole authentication process speeds up, and users no longer have to remember multiple login credentials.

Security also improves with SAML due to its ability to provide authentication from a centralized system, the IdP. This concentrated architecture has the effect of reducing the attack surface.

With SAML, it’s also possible to work with loosely coupled directories. There’s no need to synchronize user information between identity directories. This eliminates a time-consuming chore that not only creates complexity, but also increases risk exposure. Any time identity data is being moved around, it may become vulnerable to a breach.

Service providers can also cut operational costs with SAML. They no longer have to maintain user account data across services. Instead, the IdP takes care of this process for them.

Some people get confused about whether SAML authentication is the same as user authorization. It’s easy to see why. A SAML assertion’s SSO functionality can be viewed as authorizing the user to access multiple service providers. However, SAML authentication and user authorization aren’t the same thing.

SAML is for authentication, meaning it establishes the identity of the user. SAML doesn’t communicate the user’s privileges to do, or not do, certain things. Despite its SSO capabilities, it doesn’t perform an authorization function.

Is SAML comparable to OAuth? This is a common question. The answer is that the two serve different purposes. While both protocols are used to manage access, SAML deals with user authentication and OAuth is for authorization. A SAML assertion authenticates the user to the SP. An OAuth token declares what the user is authorized to do with the SP.

SAML 2.0 is the second major version of the Security Assertion Markup Language (SAML) standard, building upon its predecessor to improve authentication, interoperability, and single sign-on (SSO) functionality. Designed to meet the growing demands of modern web applications, SAML 2.0 streamlines identity management across multiple platforms and organizations, enhancing both security and user experience.

• Enhanced single sign-On (SSO):
  SAML 2.0 provides seamless SSO capabilities, allowing users to log in once and access multiple service providers (SPs) without reauthenticating. This reduces login friction and improves productivity for end users.
• Improved interoperability:
  The updated standard simplifies integration between identity providers (IdPs) and SPs, enabling compatibility across diverse environments, including cloud based and on-premises systems.
• Support for modern workflows:
  SAML 2.0 introduces improved support for mobile and web-based applications, making it easier to secure APIs and services used in dynamic, distributed workflows.
• Protocol simplification:
  By refining the message exchange process, SAML 2.0 reduces complexity and ensures faster authentication, improving performance in high-traffic environments.

SAML 2.0 operates on a framework similar to SAML 1.1 but introduces several updates to enhance functionality. The process includes:

1. Initialization:
   The user requests access to a service provider (SP). The SP sends an authentication request to the identity provider (IdP) via the user’s browser.
2. Authentication:
   The IdP verifies the user’s identity based on credentials or other authentication factors.
3. Assertion:
   Once authenticated, the IdP generates a SAML assertion containing the user’s identity and attributes. This assertion is sent to the SP.
4. Access granted:
   The SP validates the assertion and grants access to the user, enabling secure and streamlined interactions across applications.

• Enterprise SSO: Organizations use SAML 2.0 to enable employees to access multiple corporate applications with a single set of credentials.
• Cloud security: SAML 2.0 facilitates secure access to cloud-hosted services by authenticating users via centralized identity providers.
• Cross-organization collaboration: SAML 2.0 supports partnerships by allowing trusted third parties to authenticate users across organizational boundaries.

SAML is an essential user authentication standard for an entity that wants to allow access to users outside of its organization. SAML assertions enable simple, efficient authentication, as well as SSO for multiple service providers. The technology also helps improve security and cut costs, while also delivering the architectural benefits of more loosely coupled directories.