SAML (Security Assertion Markup Language)
Discover how SAML enables secure single sign-on (SSO) and identity federation across enterprise applications and organizations.
What is SAML?
Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between parties. It enables secure single sign-on (SSO) and identity federation, allowing users to access multiple applications with a single login.
How SAML Works
SAML defines three primary roles:
- Principal (User) - The entity requesting access
- Identity Provider (IdP) - The system that authenticates users
- Service Provider (SP) - The application the user wants to access
The SAML Flow
- User requests access to a service provider
- SP redirects to IdP with an authentication request
- User authenticates at the IdP
- IdP returns a SAML assertion to the SP
- SP validates the assertion and grants access
Key Components
SAML Assertion
An XML document containing user authentication and attribute information, signed by the IdP to ensure integrity.
SAML Protocol Messages
- AuthnRequest: Sent by SP to IdP to request authentication
- Response: Contains the SAML assertion from IdP to SP
SAML Bindings
Define how SAML messages are transported:
- HTTP Redirect: Uses URL parameters
- HTTP POST: Uses form submission
Security Considerations
Common Attacks
- XML Signature Wrapping: Attackers manipulate XML signatures
- Man-in-the-Middle: Attackers intercept SAML messages
- Replay Attacks: Attackers reuse SAML assertions
Best Practices
- Use strong cryptography (SHA-256 or stronger)
- Always use HTTPS and TLS 1.2+
- Use short-lived assertions (e.g., 5 minutes)
- Implement proper validation of issuer and audience