Skip to main content

What is SAML?

SAML(Security Assertion Markup Language) might not sound like a glamorous topic, but its importance in today's digital landscape cannot be understated. Without authentication protocols, the internet we know today would simply not exist.

SAML and other similar technologies have played a fundamental role in ensuring that the digital frontier is safer and more reliable.

What does SAML Mean?

Security Assertion Markup Language (SAML) can be described as an open standard that is used to exchange authentication and authorization data between different parties. More specifically between a service provider and identity provider.

SAML is based on the XML markup language and is used for security assertions (statements that are used by service providers to exercise access-control decisions).

Common use cases for SAML include it catering to web-browser single sign-on (SSO). Single sign-on is super easy to carry out within a security domain. However, extending SSO through security domains is challenging and leads to the proliferation of non-interoperable proprietary technology. SAML Web Browser SSO profile was then put in place as a standard to spread interoperability.

What is the History of SAML?

In the January of 2001, the OASIS SSTC or Security Services Technical Committee met for the first time ever. The committee went on to define an XML framework that could be used for exchanging authentication and authorization information.

Following that conference in January, OASIS announced in November 2002 that the Security Assertion Markup Language (SAML) V1.0 definition had been designated as an OASIS Standard.

In the meantime, the Liberty Alliance which was a significant consortium of companies, businesses, nonprofits, and government organizations, had proposed a further extension to the SAML standard which ended up being called the (ID-FF) Liberty Identity Federation Framework. The ID-FF, like its SAML predecessor, aimed to propose a standardized, web-based, cross-domain, singular sign-on framework.

In addition to that Liberty displayed a circle of trust in which each domain that participated is trusted to precisely note down the processes used to identify a specific user, the type of authentication system to be used, and any other policies corresponding with the resulting authentication information and credentials. Other members within the circle of trust could then move on to analyze these policies to really estimate whether to trust such data or information.

While the ID-FF was being developed by Liberty, the SSTC started working on a minor upgrade to the present SAML standard. In September 2003 the SAML V1.1 specification was approved by the SSTC. SAML V2.0 was later announced in 2005 (March) and was introduced in a way fitting to be an OASIS Standard. SAML V2.0 had shown the convergence of Liberty ID-FF and the different proprietary extensions added by Shibboleth project, along with very early versions of SAML itself. In March of 2005, SAML V2.0 was announced, and it was introduced in a style that was appropriate for an OASIS Standard. The convergence of Liberty ID-FF and the many proprietary extensions introduced by the Shibboleth project, as well as very early versions of SAML, was demonstrated in SAML V2.0.

From early 2008, deployments of SAML V2.0 had become common in government, higher education institutions, and commercial enterprises globally.

How Does SAML Work?

The SAML works by sending the user's identity information and other details from one site to another. This transfer process is then carried out through a digitally signed exchange of XML documents.

Understanding how SAML works will be easier with an example. Let's say that a user is logged into a system that can act as an identity provider. The user wants to have the ability to log in to a different remote application like any other service provider.

The user gains access to the remote application through a link that they found on an intranet, a saved bookmark perhaps, or something similar, and the application is loaded.

The application identifies and ascertains the user's origin and then redirects the user for authentication to the identity provider.

An authentication request is made and the user either has a currently active browser session associated with the identity provider or establishes a new session through the login process into the identity provider.

The identity provider makes the authentication response using an XML document that has the user's details like the username or email address. The identity provider then signs it using an X.509 certificate and proceeds to post this information to the service provider. The authentication response is returned to the service provider who already recognizes the identity provider and has a fingerprint certificate. The authentication response is validated using the certificate fingerprint. The user's identity is verified and is given the authority to access the app they wanted.

How to Use SAML?

One of the earliest usage ways of the security assertion markup language (SAML) was through the web browser single sign-on (SSO). The user requests access to a web resource that is protected by the SAML service provider (SP). For the user identity to be known by the service provider (SP) an authentication request is sent to the SAML identity provider (IP) by the user agent.

SAML transfers information about the users, logins, and other features and attributes between the service providers and the identity provider. To use SAML, the user first has to once log in to the SSO i.e. Single Sign-On with the identity providerThe identity provider sends the SAML attributes to the service provider when the user attempts to use the services.. The security provider then authorizes the user credentials with the identity provider. The authorization and authentication messages are then sent by the identity provider to the service provider. The user is then provided access to use the Customer Relationship Management (CRM).

The requirement of logging in just once by the user lies in the fact that both the service provider and the identity provider function in the same language which is the Security Assertion Markup Language (SAML).

What is SAML 2.0?

Security Assertion Markup Language (SAML) 2.0 is a version of SAML that deals especially with the exchange of authentication and authorization messages between the service providers and the identity providers. In March 2005, this SAML 2.0 version became the standard of OASIS which stands for Organization for the Advancement of Structured Information Standards. OASIS is a global non-profit organization that works on the development of open standards for cyber security, blockchain, cloud computing, emergency management, legal data exchange, and much more.

SAML 2.0 is an extensive markup language or XML-based protocol which for the passage of information between the identity provider and service provider uses security tokens that contain assertions about the user. The identity provider acts as the SAML authority while the service provider fulfills its role as the SAML consumer.

The SAML 2.0 version allows for web-based, cross-domain SSO (single sign-on), which reduces the administrative burden of distributing numerous authentication credentials to users.

SAML 2.0 version of the authentication protocol is especially in use by web-based enterprises. It transfers messages between the applications in the extensive markup language (XML) format. During the process of user authentication, the identity provider (IP) digitally signs the XML document and shares it with the service provider (SP).

What is the Difference of SAML 2.0?

The Security Assertion Markup Language (SAML) upgraded from being just SAML to SAML 2.0 version which deals with the authentication of the user. With the enhancement of SAML into SAML 2.0, came the problem of assertion messages and protocols being incompatible with the SAML version 1 processor. In the update of SAML into SAML 2.0 quite a few organizational changes were made that are mentioned below:

  1. Core Specifications and Assertions and Protocol Specification:

    The previously termed core specification is now called the Assertions and Protocol Specification due to its ability to define multiple protocols.

  2. Rules for Processing:

    The processing rules are now better mentioned.

  3. Bindings and Profiles:

    Binding determines the process of SAML requests and responses to be mapped onto the standard messaging and communication protocols while the SAML profile is a combination of assertions, protocols, and bindings.

    Previously the bindings and profiles were combined and presented as a single specification but now two separate documents are available; one for binding and one for profiles. The profile document now also includes SAML attribute profiles.

  4. Authentication and XML Schemas:

    Now there is an availability of authentication context specifications and many accompanying XML schemas.

  5. Metadata and XML Schemas:

    There is a whole new feature of metadata specification along with the accompanying XML schemas.

  6. Bibliographic References:

    In the SAML 2.0 version, the bibliographic references are put into 2 categories as normative and non-normative.

  1. Overview Document:

    With SAML 2.0 versions comes the availability of a new technical overview document as well as the new non-normative executive overview document.

Why is SAML Important?

Security Assertion Markup Language (SAML) is important for the simplification of the federated authorization and authentication process for all including the users, identity providers, and service providers. SAML comes as a solution for the identity providers and service providers to exist as 2 separate groups. This separation of both providers centralizes the user management and comes with the provision of access to the SaaS (Software as a Service) solutions.

When the discussion is in the context of enterprise applications, their security and protection are one of the most important even critical things to consider. The SAML helps in the development and independent evolution of security systems and application software. With SAML the users are enabled to securely access multiple applications by entering the credentials just once.

Without SAML, the user credentials are stored in a risky untrusted environment but SAML is important in maintaining the security of user credentials and these credentials can thus neither be exposed nor stolen. By using SAML, multiple applications can be accessed by the users, and businesses are thus conducted faster and more efficiently.

What are the Benefits of SAML?

SAML has several benefits that end-users, businesses, and even service providers get to enjoy. Here are some of the key and major benefits of SAML:

  1. An Improved User Experience

    Users, thanks to SAML, will only need to sign in a single time even if they want to access multiple service providers. This access allows for a quicker authentication process and lower expectations of the user to memorize several login credentials for every app they would like to use.

  1. Improved Security

    SAML helps to provide a singular point of authentication, that happens at a protected identity provider. After that SAML sends over the identity information to the designated service providers. This transfer of information forms of authentication makes sure that credentials are directly sent to the IdP and no one else.

  1. Loose Coupling of Directories

    SAML doesn't need user data to be maintained and synchronized between different directories.

  1. Service Providers enjoy Lower Costs

    Thanks to SAML, you don't need to maintain account information or specific data across multiple services. The identity provider is the one that bears this burden.

What is SSO SAML?

Single Sign-On Security Assertion Markup Language (SSO SAML) is a way of user authentication in which the user credentials are transferred from the identity providers to the security provider. SAML is one of the ways for the implementation of single sign-on (SSO). The SSO SAML provides users to access various applications and websites by a one-time entrance of username and password. It prevents the need for users to log in separately for each application.

The identity of the user is transferred from the identity provider to the service provider through the exchange of digitally signed extensive markup language (XML) documents. The process of SSO SAML is as follows:

  • A request is made by the user to the service provider (SP) for access to a resource such as a website or application etc...
  • The user is then identified by the identity provider (IP).
  • The identity provider (IP) is then identified by the service provider (SP) and the user is redirected back to the identity provider (IP) with an authentication request.
  • Then a response is sent by the identity provider (IP) in the form of extensible hypertext markup language (XHTML).
  • Finally, an XML document containing the user authorization is sent by the identity provider (IP) to the service provider (SP).

What is SAML in Cyber Security?

In large enterprises or any other organization, the prime concern is the maintenance of the security of the organization. Cyber security refers to those programs or applications that are used to protect an organization or network's data from threats and cyber-attacks.

Security Assertion Markup Language (SAML) is an open standard by which the identity, authentication, and authorization information are shared across the network systems. The security credentials of the users are transferred between the identity providers and the service providers which makes it important to maintain the security and privacy of the user and his or her attributes.

SAML helps in the provision of a single point of authentication at a secure identity provider which means that the user identity and user credentials are always kept private and remain within the firewall boundary. These applications do not store the user credentials which means that there is a minimum chance of the user data being stolen or breached. The security assertion markup language (SAML) provides a very strong security layer that protects the user attributes from attempted attacks by using the public key infrastructure (PKI) to its maximum advantage.

There are quite a few security mechanisms recommended by the SAML specification, 2 of which are mentioned below:

  1. Transport Layer Security:

    Transport Layer Security or Transport Level Security abbreviated as TLS is a means of protocol for the establishment of web security. The version of transport-level security used by SAML as a security mechanism is the TLS 1.0+ version.

  2. Message Level Security:

    Message level security is maintained by XML which stands for Extensible Markup Language. XML gives a set of rules by which data and documents are encoded in formats that are both human-readable as well as machine-readable.

    Following are the two methods that the SAML uses to maintain the message-level security; one is the XML signature and the other mechanism is XML encryption.

  • XML Signature:

    XML signatures are the digital signatures that are designed to be used for XML transactions. XML signatures not only add authentication to the data but also provide data integrity and support for non-repudiation to the data they use. For signature validation, the data object needs to be accessible and this is made easy by XML signatures as they locate the location of the signed object by themselves.

  • XML Encryption:

    XML Encryption abbreviated as XML-Enc is a specification that helps in defining the process of encrypting the contents of an XML element.

Both the XML signatures and XML encryptions use the KeyInfo element which provides the recipient or user information regarding the choice of keying material to use for validating a signature or even decrypting the encrypted data.

What is SAML Authentication?

There is a difference between authorization and authentication. Authentication is described as the identity of the user concerning who they are and if their login identity has been confirmed. While authorization means the permissions granted to the user. Security Assertion Markup Language (SAML) is a technology for the authentication of users and not for the authorization of the users.

SAML SSO Authorization Authentication Identity Provider Service Provider

Figure 1. SAML example steps

The process for SAML authentication is as follows:

  • A session is initiated between the user and identity provider by which the user logs in and is authenticated.
  • A second session is initiated between the user and the service provider such as cloud application or other which is configured to perform authentication by single sign-on (SSO).
  • The service provider then requests the identity provider for the information about user authentication.
  • The SAML request is then responded to by the identity provider in a SAML formatted digitally signed response which concerns the identification of the user.
  • The response sent by the identity provider is then validated by the service provider which ultimately grants the end-user access to the restricted resources.
  • The end-user is then able to access the contents or applications of the service provider.

Does it Support SAML Authentication?

SAML Authentication is supported by both Microsoft Azure and AWS which can be considered as a measure of how important it is in the world of authentication protocols.

Both service providers provide SAML authentication when they either want to do an SSO application or that they want SAML solutions for authenticating their staff or contractors, other employees, etc.

What is Entity id in SAML?

The Entity ID is primarily used as the value of the Issuer element that is present in the SAML protocol message. When an authentication request is made, the Issuer element has the Entity ID of the Service Provider. In the SAML response, it has the Entity ID of the Identity Provider.

If you want to find the Entity ID for your SSO endpoint, it is located at the bottom screen on the Edit Single Sign-on Endpoint. The Entity ID field has the value that you will enter in the 3rd party SSO provider. If you have configured Single Sign-on in ScreenSteps after the 29th of April, 2021 then the Entity ID will now match the SAML Consumer URL.

To make sure that your Entity ID is unique worldwide, the In common Federation asks that your Entity ID be in the form of a URL. The DNS domain in the URL has to be a domain that you can show control for, usually one belonging to your company or organization.

What is a SAML Request?

A SAML request is an authentication request generated by the service provider (SP). The request is sent by the identity providers (IP) to the security providers for the users to be given access to web pages. If the user authentication is completed then it contains the user ID and other attributes of SAML.

Following are the 8 examples of SAML requests and responses:

  1. An unsigned SAML response with an unsigned assertion.
  2. An unsigned SAML response with a signed assertion.
  3. A signed SAML response with an unsigned assertion.
  4. A signed SAML response with a signed assertion.
  5. An unsigned SAML response with an encrypted assertion.
  6. An unsigned SAML response with an encrypted signed assertion.
  7. A signed SAML response with an encrypted assertion.
  8. A signed SAML response with an encrypted signed assertion.

A signed SAML response is a default setting by which the whole authentication response is signed. A signed assertion refers to the fact that the attribute statement within the response is signed. This signed assertion can be configured based on requests from the service provider (SP).

What is a SAML Assertion?

A SAML assertion is described as a message that shows a service provider that a specific user is currently signed in. SAML assertions make sure to have all the information needed for a service provider to assess the user identity, which also includes the source of the assertion, the issue time, as well as the conditions that make the assertion legitimate.

You can easily perceive a SAML assertion like the resume or CV, in particular, the references part, for a job candidate: the person providing the candidate their reference says when and how long the candidate worked with the person, what their specific role was, and their opinion on this candidate. The company can make a better hiring decision based on the reference. It is almost identical to a SaaS application or cloud service that can allow or deny a user access based on a SAML assertion.