What is SAML ?
What is SAML?
Security Assertion Markup Language (SAML) is a widely adopted XML-based framework that allows identity and access data to be securely exchanged between systems across different security domains. It plays a foundational role in enabling Single Sign-On (SSO) and Federated Identity Management (FIdM) for modern enterprise environments.
SAML works by delegating authentication responsibility to a centralized Identity Provider (IdP), which then issues trustable claims—called assertions—to Service Providers (SPs). These assertions allow the user to access protected resources without re-authenticating at every stop.
Because SAML is based on XML, it provides high interoperability and flexibility across platforms and vendors.
SAML simplifies identity federation by allowing:
Centralized authentication with one login across multiple applications.
Secure delegation of identity verification to a trusted authority (the IdP).
Minimal credential sharing between applications, reducing attack surface.
Federated access in B2B or B2C contexts.
It is particularly useful for large enterprises, cloud-based ecosystems, and multi-organizational integrations where local authentication isn’t scalable.
Core SAML Concepts
Authentication and Authorization Exchange
SAML enables an organization to pass along:
Authentication status (whether a user is verified).
Authorization data (what access rights the user has).
This makes it possible to trust identity claims across independent systems without duplicating login infrastructure.
Assertions
Assertions are structured XML-based statements that describe a user’s identity, roles, and access rights. These are issued by the IdP and consumed by the SP.
There are three types of assertions:
Authentication assertions – confirm the identity of the user.
Attribute assertions – share details such as username, email, or group membership.
Authorization decision assertions – state what actions the user is allowed to perform.
Assertions are always digitally signed and often encrypted to protect integrity and confidentiality.
Federated Identity Support
SAML underpins federated identity models where different organizations trust each other’s IdPs. This enables users to use their home organization credentials to access partner services—without ever revealing passwords to the SP.
Roles in a SAML Transaction
Role : Identity Provider (IdP)
Description : Authenticates users and issues assertions. Examples: Azure AD, Okta
Role : Service Provider (SP)
Description : Hosts protected resources and trusts assertions from IdP. Examples: Salesforce, AWS
Role : Principal
Description : The user who initiates access to the SP
SAML Building Blocks
Assertion – Contains identity and access information about the user.
Binding – Defines how SAML messages are transported (e.g., HTTP POST, Redirect).
Protocol – Specifies how request/response messages are formatted and handled.
Trust Agreement – Formal setup between IdP and SP that enables secure interoperability.
Step-by-Step: How SAML SSO Works
Let’s walk through a typical SAML-based SSO flow:
User Requests Access
A user attempts to access a service provider's resource (e.g., Google Docs).SP Issues AuthnRequest
The service provider detects the user is not authenticated and generates a SAML Authentication Request.Redirect to IdP
The browser is redirected to the Identity Provider with the SAML request.User Authenticates with IdP
The user provides credentials (username, password, MFA) and is verified by the IdP.SAML Response is Generated
The IdP creates a signed SAML Response that includes the assertion confirming the user's identity.Response Sent to SP
The user’s browser posts the SAML Response to the service provider’s ACS (Assertion Consumer Service) endpoint.SP Verifies and Grants Access
The SP checks the digital signature, processes the assertion, and grants the user access to the application.
🧵 **Follow the series:** #AnyaInCyberSecurity | #CISSP | #IAM | #WomenInTech #AccessControls #CyberSecurity #InfoSec #SecurityLeadership #WomenInCyberforce #FromDevToDefender #TechLeadership #DevSecOps #CISSPDomains