Security Assertion Markup Language – or SAML for short – is an open security standard that allows access to multiple web applications using a single login credential. It consequently enables authorisation data to be sent from an identity provider (IdP) to a service provider (SP). This lets users log into various websites. The result: a much easier login procedure as only one login needs to be managed per user. As such, SAML is ideal for a Single-Sign-On solution (SSO) and is frequently integrated into identity and access management (IAM) solutions. It also enables enhanced security standards, such as multi-factor authentication. Read here to find out the other advantages SAML offers and what makes it different to Open Authorisation (OAuth) and OpenID Connect.
Where SAML is used and how it works
Security Assertion Markup Language (abbreviated as SAML) allows several computers within a network to share authentication certificates. SAML acts as the framework that allows a device to carry out security functions on behalf of third parties. Both authentication and authorisation play a role here. This means that if SAML is used, checks are automatically performed to ascertain whether the user is authorised to access certain applications and content.
The latest version of SAML is 2.0 – released in 2005 by the OASIS Consortium. It features a few changes compared to the preceding version, SAML 1.1 – meaning that the two versions are no longer compatible with one another. SAML can be used very flexibly because the transfer of information is based on the Extensible Markup Language (XML).
A distinction is made between an identity provider (IdP) and a service provider (SP) during the transfer of identities.
- The IdP is a cloud service that verifies, stores, and confirms the identity and privileges of the user, usually during the login process.
- The SP is the service hosted by the application the user wishes to access – for instance, an application run by the Microsoft Office 365 service. Instead of the user logging in to Microsoft themselves for the various applications, they log in through SSO. SAML thus ensures the user access to all the MS applications.
SSO is also the most frequent scenario in which security assertion markup language is used. The user can log in once via an identity provider's Single-Sign-On solution. This then passes on the login attributes to the service provider whenever the user wants to log into a system or application. That means the user only needs to log in once as the standard SAML has been established.
How users authenticate themselves via SAML – an example
First, a user attempts to log into an application that is simultaneously a service provider – such as an email account. The next step involves the programme checking whether the user is already authenticated in the system and initiating the authentication process. The SP verifies the appropriate identity provider and forwards the request to an SSO service, which sends the user an authentication request. If the user can be identified successfully, an XHTML document is sent back to the SP with the necessary authentication information in the form of a SAML response parameter, and the SP processes the response. The SP then creates a security context, logs the user in and notifies them where the requested application is located. The application is then available to the user the next time they request it.
Zero-Trust through SAML
Experts recommend that companies use the Zero-Trust security strategy to secure their data. This security concept is based on the principle that no device, user or service inside or outside the company network is trusted. It requires extensive measures to authenticate all users and services and comprehensive network traffic verification.
It's here that SAML can offer a valuable service to IT teams by enabling them to implement Zero-Trust guidelines such as multi-factor authentication (MFA). Even stronger security measures are also possible: they can be used to reset passwords if a user logs in from an unknown device or location, which can pose an increased security risk.
How SAML differs from OAuth and OIDC
Although SAML and OAuth are frequently mentioned together, there are fundamental differences. OAuth was developed jointly by Google and Twitter in 2006, making it more recent than SAML. It's also not based on an XML standard but on JavaScript Object Notation (JSON). OAuth is intended to compensate for SAML vulnerabilities on mobile platforms, which is why it's used more for mobile end devices and applications. While SAML was primarily developed for web applications, in practice, it's mostly used for SSO functionalities in companies.
OAuth, by contrast, is chiefly used for online applications.
As such, it only covers authorisation, not authentication, like SAML.
SAML – a secure and flexible standard
SAML helps companies with a hybrid working environment become more efficient and productive and makes it easier to tackle challenging security issues. Moreover, user login procedures can be greatly simplified – while security measures like MFA can also be implemented.
The underlying XML on which the standard is based makes it flexible to use and able to transmit any type of data. The only requirement is that the document is rendered in XML format.