SAML Explained: How It Works & Its Benefits
In today's digital landscape, where security and user experience are paramount, the way organizations handle authentication and identity management can significantly impact their success. Enter SAML (Security Assertion Markup Language), a powerful authentication protocol that not only enhances security but also improves user experience and transforms the way app developers and IT teams operate.
Before getting into SAML specifics, knowing a few terms is essential.
Identity provider (IdP)
The IdP is the entity responsible for authenticating users and passing on authentication and authorization attributes to the Service Provider (SP). Common IdPs include Azure Active Directory and Okta.
Service provider (SP)
The SP is the entity that the user is trying to access. The SP receives trusted authentication and authorization attributes from the IdP and grants the user access.
Some applications can act as both Identity Providers and Service Providers. e.g., Salesforce and Descope.
A SAML assertion is the XML-based document containing user authentication and authorization data sent from the IdP to the SP. There are three types of assertions: authentication, attribute, and authorization decision.
The authentication assertion verifies the user's identity and provides other details, such as the login time and method of authentication (password, MFA, etc.).
The attribution assertion passes SAML attributes from the Identity Provider to the Service Provider. These attributes include (but are not limited to) which department the user belongs to, whether the user is part of a “VIP” group, and basic contact information.
The authorization decision assertion details the user’s authorization by passing group membership information from the Identity Provider to the Service Provider. The Service Provider can then enforce authorization controls as and when necessary.
What is SAML?
SAML, short for Security Assertion Markup Language, is an open standard that uses Extensible Markup Language (XML) to streamline the flow of identity data between web-based IdPs and SPs.
At its core, SAML serves as the linchpin for the exchange of authentication and authorization data. It acts as the intermediary that verifies user credentials with IdPs, ensuring that access to resources and applications is both swift and secure.
In essence, SAML helps users access multiple web applications with only one set of login credentials, making it the backbone of Single Sign-On (SSO) technology and other forms of federated identity management that simplify the login process for the user while also relieving application owners of the complexities of user authentication.
SAML 1.0 (2001): The first version of SAML, SAML 1.0, was released in November 2001. It laid the foundation for secure identity and attribute exchange in web-based applications.
SAML 2.0 (2005): SAML 2.0, published in March 2005, marked a significant milestone. It improved upon the earlier versions by introducing more robust security features, greater flexibility, and broader adoption. SAML 2.0 remains the most widely used version today.
The protocol continues to evolve, with updates and extensions to address emerging security challenges and changing technology landscapes. The SAML authentication market is projected to grow to $3.1 billion by 2030.
How does SAML work?
Let’s consider the following example to walk through how SAML works:
The user works at an organization that uses SAML SSO for workforce applications.
The user is trying to access SpaceBNB, an application meant for renting spots on other planets (why not?). SpaceBNB is the Service Provider.
The user’s employer uses Authsome to manage user authentication. Authsome is the Identity Provider.
Here is how authentication would look in this case:
Step 1: The user tries to log in to SpaceBNB from their web browser.
Step 2: SpaceBNB generates a SAML request.
Step 3: The browser redirects the user to an SSO URL from Authsome. Authsome parses the SAML request and authenticates the user (with username-password, social login, PIN, etc.). This step will be skipped if the user already has an existing session with Authsome.
Step 4: Authsome generates a SAML response and sends it to the browser. This response contains assertions about the user’s authentication and other attributes.
Step 5: The browser sends the SAML response to SpaceBNB for verification.
Step 6: SpaceBNB checks that the response from Authsome is legitimate and that none of the attributes have been modified.
Step 7: SpaceBNB extracts the user’s identity and other relevant attributes from the SAML response and logs the user in.
In this example, the user can log in to SpaceBNB without creating or remembering another set of unique account credentials. Since SpaceBNB delegates user authentication to Authsome, app builders do not have to worry about storing user passwords, managing password reset flows, and other organizational overhead.
SAML vs. SSO
While SAML and SSO are closely related and often confused, they are not the same. In essence, SAML is one of the protocols that governs SSO implementation.
SAML serves as the standard protocol for secure communication between SPs and IdPs to verify user credentials and exchange identity information.
SSO is an authentication process that simplifies access to multiple applications and services by allowing users to log in once with a single set of credentials.
SAML enhances security by shifting the responsibility of storing and managing login credentials from SPs to specialized IdPs.
SSO focuses on improving user experience by providing a centralized access point to multiple services with one set of login credentials.
SAML is primarily used to simplify and centralize authentication-related tasks. It enforces secure authentication protocols and manages authentication permissions across different platforms and services.
SAML facilitates the primary use case of SSO by unifying logins across an organization's various services.
SAML and OAuth
While both protocols deal with authentication and authorization, they excel in different areas. SAML is well-suited for enterprise applications and establishing trust between organizations in federated identity scenarios. In contrast, OAuth is designed to grant third-party applications the authorization to access user data securely.
Secure data exchange for authentication and authorization in web-based applications.
Delegated authorization for third-party access to user data without exposing credentials.
JSON Web Tokens (e.g., access tokens, refresh tokens)
Primary Use Cases
Single Sign-On (SSO) and federated identity management
API authorization and delegated access to user data
Mainly used in web-based applications and SSO scenarios.
Primarily used to secure APIs and enable third-party app integrations. Also useful for mobile applications.
Imagine you're going to Six Flags amusement park. When you arrive, the park staff will check two things before letting you in: your ID and your ticket.
First, they'll look at some form of government-issued identification (like a driver's license) to ensure you are who you claim to be. This is similar to how SAML works – it verifies your identity.
Second, they'll check your ticket, which determines what kind of access you have within the park. Your ticket might grant access to the fast lane, unlimited rides, or VIP areas. This is like OAuth, as it controls what actions or resources you're authorized to use.
Read more: SAML vs OAuth Differences Explained
SAML vs LDAP
SAML and Lightweight Directory Access Protocol (LDAP) serve different purposes and have distinct features and use cases.
Secure data exchange for authentication and authorization, mainly for web-based applications.
Directory service for storing, retrieving, and managing structured data, including user and resource information.
Hierarchical data structure
Primary Use Cases
Single Sign-On (SSO)and federated identity
Centralized user account management and directory services for authentication / authorization
Focuses on user identity and access control in web applications.
Primarily focused on authentication and data retrieval from the directory service.
Manages user permissions within web applications.
Typically does not handle authorization directly; it provides user data for authorization decisions.
Benefits of SAML authentication
Here are some key advantages of using SAML authentication.
SAML reduces the attack surface by eliminating the need for Service Providers to store user credentials, making app servers less attractive targets for cybercriminals. By reducing the number of passwords in circulation, SAML minimizes the likelihood and impact of attacks like credential stuffing and phishing.
Improved user experience
SAML streamlines the login process, resulting in a faster and more convenient user experience. Rather than creating and remembering unique passwords for every application, users simply navigate to the desired application and are authenticated by the Identity Provider. The only credential they need to remember is the one used for the Identity Provider.
Identity Providers that use passwordless authentication further improve user experience by freeing users from maintaining complex passwords.
More focused app development
By using SAML, SPs can place the burden of authentication and identity management on the IdP. This means app developers no longer have to expend resources on password management and storage, protecting against password-based attacks, and implementing password reset flows. These resources can now be diverted to the SP’s area of expertise and focus.
IT teams also benefit by not having to field help desk calls for password resets, freeing up their time to tackle more app-focused support concerns.
SAML sans struggle with Descope
SAML is the key to simplifying user authentication, enhancing security, and streamlining access to multiple applications. Understanding how SAML works can unlock the potential for better user experience and robust security measures in your digital environment.
However, learning and debugging SAML can be a complex and time-consuming process. Descope helps developers easily add SAML SSO to their apps with no-code workflows. With identity federation, Descope can also broker connections between any combination of SAML / OIDC clients and IdPs, helping customers unify user identities across customer-facing applications.