What is SAML authentication ❓ How does it work ❓

SAML — A Quick Overview

  • It brings XML into action for completing the customary connection between IdPs and service-givers to communicate reliably.
  • SAML authentication process confirms the end-user’s identity while SAML authorization defines which all resources should be in user’s access.
  • It checks for SPs, IdPs, and end-users if the user is eligible for what it is demanding.
  • It’s an OASIS standard.
  • It ensures safe exchange of information.
  • It supports SSO activation. However, this procedure will require connecting to an external IdP and sharing the XML tokens with it.

A Quick Glimpse of Single Sign-on (SSO)

  • Strong passwords, as there is no need to create multiple passwords sharing similarities. One tough and complex password is enough for everyone.
  • Users do not have to memorize various passwords.
  • Easy MFA deployment that verifies multiple factors, as its activation at 1 point will secure various applications.
  • Quick password re-entry policy enforcement, as administrators have a single point where the policy should be enforced.
  • Seamless internal credential management because the SSO stores user passwords internally and grants the IT team more control over the database.
  • Instant recovery of user password as the IT team has to work on recovering one password.

SAML Authentication — The Step-by-Step Process

  1. First of all, the identiy service hands over the user login related input to the SP. For the seamless of SAML parameters to the SPs, every end-user is bound to login via SSO once.
  2. Next, the SP contacts IdPs, asking about the credibility of a request. This process requires giving consent for SAML SSO configuration too. Doing so ensures that the same SAML settings are used for checking the identity and authorizing the user/request.


  1. Being a standard format, it grants an open approach to businesses that is free from platform compatibility and vendor implementations.
  2. It uses directories in a loose coupling manner, that implies there is no need to store or sync user data to local directories.
  3. As it supports SSO, end-users are going to have great experience in accessing applications.
  4. SAML lets businesses reuse integrations for registration/sign-in while maintaining the same level of security. It trims the account management cost.
  5. The burden of maintaining the user identities is shifted to the IdP when SAML is at work. This frees service-givers from registration and sign-in related hassles.

What is SAML Assertion?

SAML Example

  • John will begin a session with SSO and complete the identity verification part of the procedure.
  • Zoho CRM will request the IdP to share the user details for confirmation.
  • The SaaS tool will access the fetched results to complete the authority verification step.
  • IdP will revert to this request in SAML format. It will feature the digital signatures of John. Based upon the similarities between the identification details provided by John and the IdP, the revert message may feature other details as well.
  • SaaS tool receives the response and grants or denies access, as instructed by the IdP.
  • If access is permitted John is allowed to use his Zoho account.


SAML vs oAuth2

  • Both are required to promote secure application interoperability.
  • Both support easy access management and fast integration.
  • oAuth 2.0 pays attention to authorization while SAML prioritizes authentication
  • SAML is XML based while oAuth 2.0 is utilizes JSON
  • SAML maintains session data through cookies while API calls are used in the case of oAuth for this.

API authentication with SAML

  • SAML prepare authentication API based API auth request
  • SAML message that can support the SSO process auto-initiated by IdP

The Final Word




CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Portugal’s Constitutional Right to Data Protection

What is Broken Link Hijacking? o.O

Giottus supports Spark Token Airdrop by The Flare Network


Beyond Mere Decentralization — The Orthogonal Web

Kitty Party Integrates Chainlink Keepers And Price Feeds to Unlock a World-Class User Experience

COVID-19 pandemic leads to a rise in the VPN market

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ivan Novikov

Ivan Novikov

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.

More from Medium

An introduction to CircleCI

In Every Release, I Should do A, B, and C. But I’m Lazy. What Should I Do?

DevOps Lifecycle: 7 Phases Explained in Detail with Examples

DevOps DC 2021 — In Review