Security Assertion Markup Language (SAML)

SAML is an XML-based standard for exchanging authentication and authorization data between IdP (identity provider) and service provider. We can compare SAML with LDAP (as authentication protocol) as both are to provide single-sign-on (SSO) feature.

LDAP is considered traditional configuration in on-premise operation for organizations. The configuration can be complex and administrators needs to complete significant work upfront. AD is notoriously hard to integrate into the cloud. On the other hand, LDAP gives the organization greater level of control over authentication and authorization due to its tighter integration with domain controller. It is prevalent in on-premise enterprise infrastructure and integrate well with OpenVPN, Jenkins, Docker, Kubernetes, etc.

On the other hand, SAML was created in early 2000s with the exclusive purpose of federating identities to web applications. The protocol was introduced assuming an IdP already exists in an organization. The SAML protocol doesn’t intend to replace the IdP, but rather use it to assert the validity of a user’s identity. This timed assertion (declaration that user’s identity is valid for a period of time) will be delivered to a service provider via secure XML exchange.

The benefit of SAML is that an on-premise identity typically stored in Active Directory (AD), could be extended to authenticate its users against web applications. ISVs (independent software vendor) can build web applications that integrates with on-premise AD server to achieve SSO feature. The AD server in this case provides IDaaS (Identity as a service) using its FS (Federation Service) module. Examples of web applications that support SAML integration include Confluence, Zendesk, Slack, Bombgar, etc. In the configuration, you typically need to specify who is the IdP (e.g. Microsoft AD, Okta, etc) and it’s SSO URL.

At a high level, an SSO process using SAML takes places in the following steps:

  1. User tires to reach web application (service provider);
  2. Web application redirects user browser to SSO URL;
  3. User provide credential in the SSO URL;
  4. IdP authenticates the user;
  5. IdP produces SAML response to browser;
  6. Browser passes the SAML response to service provider’s dedicated endpoint
  7. Service provider permits user access to web application

Here is an example of SAML integration guide from an G Suite. The guide outlines how it works and the assertion requirements.

The Wikipedia page for SAML 2.0 provide an example of assertion message.