What is SAML authentication ❓ How does it work ❓

SAML — A Quick Overview

  • It brings XML into action for completing the customary connection between IdPs and service-givers to communicate reliably.
  • SAML authentication process confirms the end-user’s identity while SAML authorization defines which all resources should be in user’s access.
  • It checks for SPs, IdPs, and end-users if the user is eligible for what it is demanding.
  • It’s an OASIS standard.
  • It ensures safe exchange of information.
  • It supports SSO activation. However, this procedure will require connecting to an external IdP and sharing the XML tokens with it.

A Quick Glimpse of Single Sign-on (SSO)

  • Strong passwords, as there is no need to create multiple passwords sharing similarities. One tough and complex password is enough for everyone.
  • Users do not have to memorize various passwords.
  • Easy MFA deployment that verifies multiple factors, as its activation at 1 point will secure various applications.
  • Quick password re-entry policy enforcement, as administrators have a single point where the policy should be enforced.
  • Seamless internal credential management because the SSO stores user passwords internally and grants the IT team more control over the database.
  • Instant recovery of user password as the IT team has to work on recovering one password.

SAML Authentication — The Step-by-Step Process

  1. First of all, the identiy service hands over the user login related input to the SP. For the seamless of SAML parameters to the SPs, every end-user is bound to login via SSO once.
  2. Next, the SP contacts IdPs, asking about the credibility of a request. This process requires giving consent for SAML SSO configuration too. Doing so ensures that the same SAML settings are used for checking the identity and authorizing the user/request.


  1. Being a standard format, it grants an open approach to businesses that is free from platform compatibility and vendor implementations.
  2. It uses directories in a loose coupling manner, that implies there is no need to store or sync user data to local directories.
  3. As it supports SSO, end-users are going to have great experience in accessing applications.
  4. SAML lets businesses reuse integrations for registration/sign-in while maintaining the same level of security. It trims the account management cost.
  5. The burden of maintaining the user identities is shifted to the IdP when SAML is at work. This frees service-givers from registration and sign-in related hassles.

What is SAML Assertion?

SAML Example

  • John will begin a session with SSO and complete the identity verification part of the procedure.
  • Zoho CRM will request the IdP to share the user details for confirmation.
  • The SaaS tool will access the fetched results to complete the authority verification step.
  • IdP will revert to this request in SAML format. It will feature the digital signatures of John. Based upon the similarities between the identification details provided by John and the IdP, the revert message may feature other details as well.
  • SaaS tool receives the response and grants or denies access, as instructed by the IdP.
  • If access is permitted John is allowed to use his Zoho account.


SAML vs oAuth2

  • Both are required to promote secure application interoperability.
  • Both support easy access management and fast integration.
  • oAuth 2.0 pays attention to authorization while SAML prioritizes authentication
  • SAML is XML based while oAuth 2.0 is utilizes JSON
  • SAML maintains session data through cookies while API calls are used in the case of oAuth for this.

API authentication with SAML

  • SAML prepare authentication API based API auth request
  • SAML message that can support the SSO process auto-initiated by IdP

The Final Word




CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Don’t Be the Next Cyber Attack Statistic: 10 Tips to Secure Your Business

{UPDATE} Slingshot Monsters Hack Free Resources Generator

Tutorial: How to Swap TRC20-USDT to USDT_t

A Beginner’s Guide: How to Protect Your Data and Connect to a VPN at Home

The Auth0 Marketing Website Has Been Localized for the Japanese Market

Press Release: What happens when someone steals your domain?

Putting the Human Being in Security Planning | Home land security USA

Raspberry Pi ONVIF RTSP CCTV Camera and NVR

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ivan Novikov

Ivan Novikov

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.

More from Medium

30,000 Feet View of CI/CD — Part 1

Aggregating Allure Results from Downstream Jobs And Publishing in Jenkins Pipeline Job

CKAD Exam preparation -Application Design and Build -Part4

Automating tests with Squash DEVOPS