SAML - Security Assertion Markup Language - Learn System Administration

Summary of Contents

What is SAML?

SAML stands for Security Assertion Markup Language and it is an XML-based open-standard for exchanging identity data between two parties: an Identity Provider (IdP) and a Service Provider (SP).

Is SAML a Protocol?

Yes, SAML is a XML based Protocol used for exchanging identity data.

What is the Primary Role of SAML?

The primary role of SAML is to provide you with access to multiple web based application using one set of login credentials.

What are the 3 main Parties SAML-based authentication?

The 3 main parties in SAML-based authentication are:

1. The Principal

The principal is the entity initiating the resource access request. Example, when a person tries to login into the work email.

2. Identity Provider (IdP)

This is the Server or Authorization authority that the Principal authenticates with. The Identity provider (IdP) generates the SAML assertion that contains the Identity Information for the Principal.

Example: If you try to log into an application using your Gmail credentials, then Gmail will be the Identity Provider because the credentials will be validated/authenticated with Gmail.

3. Service Provider (SP)

This is the entity that provides the resource that the Principal wants to access.

How does SAML work – Step by Step:

Here are the components involved in this SAML authentication flow:

Web Application: SalesForce
SSO Solution / Identity Provider: Okta

The User tries to access a Web Application, like SalesForce, using the browser.
The web application, SalesForce, first checks to see whether you’ve already been authenticated by the SSO solution (Example: Okta), in which case it gives you access to the site.
If the User is not authenticated, the Web application (SalesForce) sends you to the SSO solution (Example: Okta) to log in, i.e. the Web application redirects with a SAML request to the SSO solution (Okta).
The SAML request contains the identity information of the user and the information of the service the user is trying to access.
Once the User enters the Credentials on the SSO page, the SSO solution (Okta) requests authentication from the Identity Provider or authentication system that your company uses, which usually would be Active Directory.
If the user provides the correct credentials and once the Identity has been verified, Okta creates a SAML response and sends it to the Service Provider.
This SAML response is called as the SAML Assertion, which includes authorization information like user’s roles, properties and digital signature.
The Service Provider evaluates the SAML response and the digital signature, and finally extracts the authorization information, and allows user to access the requested resources.