What is SAML, and how does it work?

What is SAML?

SAML stands for Security Assertion Markup Language. It is a markup language that defines a set of protocols to allow users to use a single set of credentials to access a host of applications. SAML 2.0, developed by OASIS, is the most widely used version, powering modern SAML single sign-on (SSO) solutions that allow users to authenticate once and access multiple applications, such as Microsoft 365, Salesforce, and Google Workspace, seamlessly. By reducing the need for multiple credentials, SAML SSO improves both security and the user experience.

What is a SAML provider, and what are their types?

In a SAML SSO flow, a SAML provider is a system that participates in the authentication and SAML authorization process. There are two main types:

• Identity provider (SAML IdP): Authenticates the user and issues SAML tokens (assertions). Examples include ADFS, Okta, and Microsoft Entra ID.
• Service provider (SAML SP): The application or service that consumes the SAML response from the IdP to grant or deny access. Examples include Salesforce, Microsoft 365, and AWS.

This relationship is governed by SAML configuration, which defines how the IdP and SP communicate using the SAML protocol.

At the core of the SAML protocol is the SAML token, which securely carries user identity and authorization details between the IdP and SP.

What is a SAML assertion?

A SAML assertion is a key element of the SAML 2.0 protocol. It acts as a SAML token issued by the SAML IdP, containing information about the user. Assertions typically include:

• Authentication statements: Proof that the user has logged in successfully.
• Attribute statements: User details (e.g., name, email, or role).
• Authorization decision statements: Permissions that define what the user can access.

The SAML response sent back to the SAML SP is essentially a package of these assertions, making them central to any SAML flow.

What is SAML authentication and authorization?

SAML single sign on is both an authentication and authorization mechanism:

• SAML authentication: The IdP confirms the user’s identity through a SAML flow and sends back a SAML assertion.
• SAML authorization: The SP interprets the SAML response to determine what level of access the user should receive.

By combining both identity verification and permission details, SSO with SAML ensures that access decisions are made securely and efficiently across multiple systems.

How does SAML-based single sign-on work?

A standard SAML flow follows these steps:

1. The user attempts to access a SAML SP.
2. The SP generates a SAML authentication request and redirects the user to the SAML IdP.
3. The IdP authenticates the user, creates a SAML assertion, and sends a SAML response back to the SP via the user’s browser.
4. The SP validates the SAML token against its SAML configuration and grants access if valid.

This SSO SAML workflow reduces login friction while enforcing centralized authentication and authorization.

Why do you need SAML SSO?

Organizations implement SAML SSO because it provides measurable security and productivity benefits:

• Seamless user experience: Log in once, access everything—thanks to the SAML protocol.
• Stronger security: Credentials remain only with the SAML IdP, reducing risk.
• Centralized control: Unified SAML configuration simplifies audits and compliance.
• Reduced IT workload: Fewer password resets and support tickets.
• Improved productivity: Employees waste less time managing multiple logins.
• Scalable and interoperable: SAML 2.0 supports cross-platform and cloud-ready integrations.

By securing authentication and authorization through a trusted framework, SAML SSO delivers both business efficiency and IT cost savings.

SAML examples

Example 1:

A doctor logs in to a hospital’s electronic health record system (SP). The system redirects to the SAML IdP for authentication. The IdP validates the doctor’s credentials, issues a SAML assertion, and returns a SAML response.

Once logged in, the doctor can access other apps, like the radiology portal and prescription system, without re-entering their credentials. The SAML token from the IdP is trusted by all apps, enabling secure SAML SSO across systems.

Example 2:

A student signs in to a university portal, which acts as the SAML IdP. After authentication, the IdP generates a SAML assertion and sends a SAML response as a SAML token to the portal.

library, and email without logging in again. Thanks to the SAML flow, all apps recognize the same trusted SAML configuration, ensuring seamless SAML single sign on.

SAML components

SAML 2.0 defines several building blocks:

1. SAML assertions: The SAML token carrying authentication and authorization data.
2. SAML protocols: XML-based request or response messages exchanged during a SAML flow.
3. Bindings: The method of transporting messages (HTTP Redirect, HTTP POST, SOAP, etc.).
4. Profiles: Predefined SAML configurations for use cases like SSO or single logout.
5. Roles:
   • Principal (user)
   • SAML IdP
   • SAML SP

Together, these components ensure smooth SAML SSO operations.

SP- and IdP-initiated single sign-on

• SP-initiated SSO SAML: The login starts at the SP, which redirects to the SAML IdP and receives a SAML response with an assertion.
• IdP-initiated SSO SAML: The user logs in at the IdP first, then navigates to the SP with a valid SAML token.

Both methods rely on accurate SAML configuration to ensure secure SAML single sign on.

Step-by-step SAML workflow

1. User accesses SP from browser.
2. The SP sends a SAML request to the browser.
3. The browser sends a SAML request to the IdP.
4. The IdP authenticates the user and creates a SAML assertion, which it sends to the browser.
5. The browser sends the SAML assertion to the SP.
6. Once the user is authenticated, the SP sends security context to the browser.
7. The browser requests a resource from the SP.
8. The SP sends the requested resource.

SAML single sign-on and MFA capabilities

ADSelfService Plus, an MFA, SSPR, and SSO solution, employs the SAML protocol to provide the following:

• SAML-based MFA for critical resources
  • An external SAML IdP (such as Okta, Ping Identity, or) handles the authentication and issues a SAML response.
  • ADSelfService Plus uses this SAML assertion to enforce MFA for sensitive endpoints, like local and remote machines, VPNs, and Outlook on the web.
  • This ensures that even if credentials are compromised, attackers cannot takeover crucial enterprise endpoints.
• SAML SSO for enterprise applications
  • ADSelfService Plus always acts as the SAML IdP by authenticating users against Active Directory (AD).
  • Once authentication is successful, ADSelfService Plus issues a signed SAML assertion inside a SAML response to the target SP, such as Salesforce, Microsoft 365, and other cloud applications.
  • Users sign in once with their AD credentials, and the same SAML token is trusted across multiple SPs for seamless SAML single sign on.

SP- and IdP-initiated SAML single sign-on

With ADSelfService Plus, SAML 2.0 is supported for both roles:

• As a SAML IdP: ADSelfService Plus authenticates users with AD credentials and issues SAML responses for cloud and custom SPs.
• As a SAML SP: ADSelfService Plus consumes SAML tokens from third-party IdPs like Okta or OneLogin.

Flexible SAML configuration ensures secure SAML single sign on in both SP- and IdP-initiated SAML flows.

Benefits of SAML SSO and MFA

Here why organizations should choose ADSelfService Plus as their SAML SSO and MFA solution:

• Lets employees sign in once and securely access all their business apps with SAML SSO.
• Strengthens security with MFA for systems like VPNs, Outlook on the web, and remote logins.
• Works seamlessly with popular IdPs and business applications.
• Reduces password-related hassles by combining AD authentication with modern SAML SSO.
• Delivers both easy access for users and better control for IT teams.
• Provides a simple, centralized way to manage secure logins across the organization.