What is SAML? How Does Authentication Work?

SAML (Security Assertion Markup Language) is a markup language that is used to create a secure login environment for multiple places while using only one account.

What is SAML? Security Assertion Markup Language | Gridinsoft

SAML Authentication

November 03, 2022

It is very convenient to log in on different sites using the account of another known and appreciated one. Google, Yahoo, Apple - these companies offer their accounts as a universal tool for introducing yourself on many sites. But only a few users know which technology stands for it.

SAML is an acronym for the Security Assertion Markup Language. It's a mechanism in online security that allows users to access numerous web applications only with one set of login credentials. It works in a way where there are two parties: identity provider (IDP) and a web application which pass authentication information between themselves in a particular format.

Security Assertion Markup Language (SAML) serves as an open standard that identity providers (IDP) use to pass authorization credentials to service providers (SP) for Single Sign-On function (SSO). More simply, it means that it is enough for you to use only one set of credentials to log into multiple websites. SAML mechanism is used in customer relationship management (CRM) software, Active Directory, etc.

All transactions that take place via SAML use Extensible Markup Language (XML) during communication between identity provider and service providers. In summary, the “what is SAML” question may be answered as “the form of reporting the users’ credentials to the website it tries to log in”.

SAML Authentication - How That Works?

SAML mechanism usually involves the participation of three interrelated parties: SSO service provider, Identity provider, and Subject (principal). The subject, or principal, is a user who tries logging into a particular web application or service.

SAML SSO (Single Sign-On)

Usually, this is some cloud-based application or service that a user needs to use. Common examples might include cloud-based email platforms - Microsoft Office 365 or Gmail, cloud storage services like Dropbox or Google Drive, or workspace communication apps like Skype and Slack.

Authentication via Google Account is the most common example of SAML usage
Authentication via Google Account is the most common example of SAML usage

Without SAML, a user would need to log into any services directly. SAML gives them access straightaway, after logging into a key account. Straightaway access is possible because the user logs in to the SSO (Single Sign-On) instead of logging into services without an intermediary.

SAML IDP (Identity provider)

It is basically a third party provider for user's authentication. An identity provider is a cloud-based software service that stores a user's credentials and, when requested, confirms a user who tries to log in.

Sometimes SSO processes can be separated from identity providers but given their functions, they are the same in a general SAML work mechanism. The main difference is that for IDPs, this purpose is sole, while SSO services usually have their “main” activity, and participating in the login is a side job.

To use SAML, a user must only once login to Single Sign On for the identity provider to record the information on a user. And the next time a user tries to login into any particular web application or service identity provider, will present to the service provider user's relevant SAML attributes. Both systems speak the same language, and users only need once to sign in. Primarily, both identity provider and service provider have to agree upon configurations for SAML. For SAML to work, they need to have the same set configuration.

What Are The Benefits Of SAML

Because SAML is an open standard, it has some benefits as a mechanism for SSO implementation. Numerous IAM (Identity and Access Management) vendors can use it, and SAML can also be integrated into systems like Salesforce. SAML also allows providers from different vendors to communicate with each other if they use it. Another benefit that SAML has is the mechanism's flexibility. Because SAML is an XML dialect, all data can be easily transformed into SAML documents and changed in XML. Besides these benefits, SAML also includes the following ones:

  • SAML reduces the chances for security breaches as additional credentials get to be eliminated, preventing identity thefts;
  • The application access gets increased and eliminates the administration timing need to spend efforts maintaining duplicate credentials and resetting the lost/forgotten passwords;
  • Eliminates the need for a user to login to the same web application or service multiple times on different devices;
  • In case the SSO mechanism is proprietary, it eliminates the possibility of questionable administration and security;

One of the biggest benefits for ordinary users is that you can easily log in to the desired web application or service using, for example, your Google account only by tapping on it while logging.

What Is SAML Assertion?

SAML assertion is an XML packet that holds authentication and authorization information about a particular identity. They basically describe the way the SAML mechanism works. Assertions can be viewed as statements that the IDP makes about a user. The SPs, in their turn, use SAML assertions for creating and configuring sessions when a user tries to log in to their service. There exist three types of SAML assertion:

  • Authorization assertions. These assertions are typically issued by SAML policy decision point (PDP). It gets issued every time a user tries to access a specific resource from the SP. They make notifications on whether a user's attempt to authorize was successful or not;
  • Attribute assertions. These are specific datasets containing user information like first name, last name, email address, etc. SAML uses the same attributes to identify a user both in SP and IdP directories;
  • Authentication assertions. The assertions help with a confirmation of a user. They have statements with information about user authentication methods like Multi-Factor Authentication (MFA), password, or Kerberos. The latter is the network security protocol used to authenticate service requests from two or more untrusted hosts. Assertions also hold information about the time a user logs into the platform.

What Is The Difference Between SAML and LDAP

LDAP or Lightweight Directory Access Protocol is a software protocol that is used to enable easier search for specific data about individuals, organizations, and other resources like files or other devices on the network. LDAP can be used on the public internet and inside companies or organizations. It differs from SAML by a number of functions.

LDAP server implementations only work with trusted identity providers or identity sources. SAML cannot always be a trusted source of information, but rather it works as a proxy for directory service and passes the authentication into a SAML-based process. While LDAP mainly focuses on local authentication, SAML also includes cloud user credentials and other web applications. People use LDAP for core directory services and SAML-based SSO for centralized authentication in web applications.