What is SAML authentication ❓ How does it work ❓

Enterprises using various business apps have a tough time maintaining data’s secrecy and access grants as per user roles throughout the infrastructure landscape. SAML (Security Assertion Markup Language) shows up as a great aid at this front.

Let’s see what is it, how it works, what are its advantages, how it differs from SSO, what makes it similar to SSO, and how it helps in API access verification to ensure an astonishing security level.

SAML — A Quick Overview

A few more things you must know about SAML are:

  • It brings XML into action for completing the customary connection between IdPs and service-givers to communicate reliably.
  • SAML authentication process confirms the end-user’s identity while SAML authorization defines which all resources should be in user’s access.
  • It checks for SPs, IdPs, and end-users if the user is eligible for what it is demanding.
  • It’s an OASIS standard.
  • It ensures safe exchange of information.
  • It supports SSO activation. However, this procedure will require connecting to an external IdP and sharing the XML tokens with it.

A Quick Glimpse of Single Sign-on (SSO)

By doing so, it makes accessing the app faster, simpler, and auditable. It’s a key aspect of IAM strategies of businesses seeking frictionless app access validation and better security implementations.

With SSO enabled, one can enjoy:

  • Strong passwords, as there is no need to create multiple passwords sharing similarities. One tough and complex password is enough for everyone.
  • Users do not have to memorize various passwords.
  • Easy MFA deployment that verifies multiple factors, as its activation at 1 point will secure various applications.
  • Quick password re-entry policy enforcement, as administrators have a single point where the policy should be enforced.
  • Seamless internal credential management because the SSO stores user passwords internally and grants the IT team more control over the database.
  • Instant recovery of user password as the IT team has to work on recovering one password.

SAML Authentication — The Step-by-Step Process

  1. First of all, the identiy service hands over the user login related input to the SP. For the seamless of SAML parameters to the SPs, every end-user is bound to login via SSO once.
  2. Next, the SP contacts IdPs, asking about the credibility of a request. This process requires giving consent for SAML SSO configuration too. Doing so ensures that the same SAML settings are used for checking the identity and authorizing the user/request.


  1. It uses directories in a loose coupling manner, that implies there is no need to store or sync user data to local directories.
  2. As it supports SSO, end-users are going to have great experience in accessing applications.
  3. SAML lets businesses reuse integrations for registration/sign-in while maintaining the same level of security. It trims the account management cost.
  4. The burden of maintaining the user identities is shifted to the IdP when SAML is at work. This frees service-givers from registration and sign-in related hassles.

What is SAML Assertion?

Its 3 typesos assertions are:

Authentication is all about the validation of user’s credibility, related technique, and session duration tracking details.

Assigned takes care of successfully passing SAML tokens to the SP. IdP as well as SP directory use the same attributes to confirm the trustworthiness of request-creator.

Finally, assertion of Authorization-decision type explains where or not the user is given access as per his request. Detailed reason behind denied access is also offered if it happens.

SAML Example

Let’s consider an end-user, named John, who tries to access a business application for official purposes.

  • John will begin a session with SSO and complete the identity verification part of the procedure.
  • Zoho CRM will request the IdP to share the user details for confirmation.
  • The SaaS tool will access the fetched results to complete the authority verification step.
  • IdP will revert to this request in SAML format. It will feature the digital signatures of John. Based upon the similarities between the identification details provided by John and the IdP, the revert message may feature other details as well.
  • SaaS tool receives the response and grants or denies access, as instructed by the IdP.
  • If access is permitted John is allowed to use his Zoho account.


SAML vs oAuth2


  • Both are required to promote secure application interoperability.
  • Both support easy access management and fast integration.


  • oAuth 2.0 pays attention to authorization while SAML prioritizes authentication
  • SAML is XML based while oAuth 2.0 is utilizes JSON
  • SAML maintains session data through cookies while API calls are used in the case of oAuth for this.

API authentication with SAML

  • SAML prepare authentication API based API auth request
  • SAML message that can support the SSO process auto-initiated by IdP

By all means, it’s crucial for a SAML request message to be based on an encoded XML document featuring <Response> root element.

The request’s body must feature content, ids, and realm. The first two aspects are essentials while the last one is optional.

The SAML response includes access_token (a SAML token granting or denying the access), username, expires_in, refresh_token, and realm.

The Final Word

Originally published at https://www.wallarm.com.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ivan Novikov

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.