How SAML Works

Security Assertion Markup Language (SAML) is a set of rules that helps different places, like a website and a login service, share information about who you are and what you’re allowed to do. It’s like a special language made out of code that talks about security, and it’s used to decide if you can access something or not. An important use case that SAML addresses is web-browser single sign-on (SSO). Without the existence of an agreed open standard for exchanging identity information between services, non-interoperable proprietary technologies started to proliferate.

How does SAML work?

Let’s start by understanding what parties are involved in the SAML authentication process. There are three parties involved during a SAML authentication process:

  • Subject: That is you as the user who wants to prove to an online service that you are the individual you claim to be. Your identity is usually identified via a unique identifier such as a username or email.
  • Service Provider (SP): The website or application you want to log in to.
  • Identity Provider (IdP): A service that holds information required to authenticate the subject. Such as your username and password.

How do these parties interact with each other to fulfill the authentication process?

Auth0 provides a clear and concise explanation of the SAML authentication process that I am including here as-is:

Say, Auth0 is our identity provider (IdP), and a fictional service, Zagadat, is our service provider. The SAML authentication steps play out as follows:

  1. The user tries to log in to Zagadat from a browser.
  2. Zagadat responds by generating a SAML request.

3. The browser redirects the user to an SSO URL, Auth0

4. Auth0 parses the SAML request and authenticates the user

5. Once the user is authenticated, Auth0 generates a SAML response.

6. Auth0 returns the encoded SAML response to the browser.

7. The browser sends the SAML response to Zagadat for verification.

8. If the verification is successful, the user will be logged in to Zagadat

From a sequence diagram perspective, this is what the process looks like: