Security Assertion Markup Language (SAML) provides a standard way for businesses and application providers to share user authentication and authorization data and federate identity management functionality. SAML helps businesses improve user experiences and strengthen security by unifying identity management and access control across applications and services. And it helps application providers and service providers reduce administrative cost and complexity by offloading identity management responsibilities to a trusted third party.
SAML is ideal for cloud-centric businesses that use SaaS solutions like Salesforce, Microsoft 365 (Office 365), or Google Workspace (G Suite). Rather than signing in to each application individually, users sign in to a secure web portal that provides one-click access to all their applications.
SAML was defined by the OASIS Consortium and is supported by a variety of security vendors, application providers, and service providers. The latest version, SAML 2.0, was introduced in 2005 and is widely adopted.
How SAML Works
SAML provides a simple XML-based framework for exchanging identity and access management data. The specification defines three distinct roles:
- A trusted identity provider (IdP), for example an Identity as a Service (IDaaS) provider
- A service provider (SP), typically a cloud application or service provider
- A principal, typically an end-user like an employee of a business.
The identity provider is the central authority responsible for authenticating principals and granting them access to applications and services. Leading identity providers support Multi-Factor Authentication (MFA) functionality to provide additional protection against impersonation and credential theft.
An identity provider passes identity and access security information to a service provider via a SAML Assertion—an XML document containing user authentication and authorization information and other attributes. SAML defines two distinct types of sign-in flows: an identity-provider-initiated flow where a principal tries to access a service provider via an intermediary IdP webpage, and a service-provider-initiated flow where a principal attempts to access a resource directly on a service provider site.
With the identity-provider-initiated flow, a principal authenticates with the IdP once, using a single set of login credentials, and then gains easy access to all SAML-enabled applications without additional sign-ins. With the service-provider-initiated flow, an unauthenticated principal is redirected to the IdP web portal to sign-on before being granted access to the service.
SAML Advantages for Businesses
SAML provides a variety of business benefits, including
- Improved user experiences – SAML authentication increases user satisfaction by eliminating password fatigue and allowing users to access all their applications in a consistent manner, using Single Sign-On (SSO). It improves employee productivity and accelerates the adoption of cloud-based applications and services by giving users fast, simple, and convenient access to all the online resources they need to do their jobs.
- Risk reduction – SAML strengthens security by centralizing authentication functions and reducing attack surfaces, and by eliminating risky password management practices like using weak passwords or writing passwords down on paper. MFA functionality provides additional security by requiring a user to present multiple forms of evidence (e.g., a password or fingerprint and an SMS code) to gain access to an application or service.
- Simplified operations – SAML helps businesses eliminate administrative cost and complexity and accelerate time-to-value by delegating identity and access management functionality to a trusted identity provider. Using a third-party identity provider frees up internal IT resources to focus on core business tasks.
- Broad support – SAML helps businesses increase choice and avoid multi-vendor interoperability issues. SAML is a widely adopted standard, so businesses can choose from a variety of SAML-compliant identity providers and service providers.
SAML vs OpenID Connect vs Oauth 2.0
SAML, OpenID Connect, and Oauth 2.0 are all identity federation standards. SAML and OpenID Connect are both standards-based frameworks for authenticating users and enabling Single Sign-On across applications and services. SAML is mostly used in enterprise applications. It is supported by cloud business solutions like Salesforce, Box, Workday, Microsoft 365, and Google Workspace. OpenID Connect is mostly used in consumer applications like Facebook, YouTube, and PayPal.
Oauth 2.0 is a standards-based authorization framework used to control access to specific resources like an application or a set of files. Oauth 2.0 is used with both SAML and OpenID Connect.