Article

What is security assertion markup language (SAML)?

Security
Time to read: 8 minutes

SAML defined

An open standard, Security Assertion Markup Language (SAML) allows authentication and authorization data to be exchanged between parties, commonly between identity providers and service providers.

With SAML, users can access multiple applications or services with a single login, eliminating the need for separate logins for each resource.

Security assertion markup language supports different authentication mechanisms, including username / password authentication, multi-factor authentication (MFA), and single sign-on with external identity providers. SAML is widely used in enterprise environments, cloud-based applications, and federated identity systems to enable secure and seamless access control across distributed environments while maintaining user privacy and security.

How does security assertion markup language work?

Security Assertion Markup Language (SAML) operates based on trust relationships established between the identity provider and a service provider. Below is a summary of how the relationship works.

Session initiation

A session starts when a user initiates access to a service provider’s resource (e.g., a web application or database).

Redirect to identity provider

The service provider transparently redirects the user’s browser to the identity provider for authentication. The redirection includes the SAML authentication request in the form of an XML document that specifies the service the user is attempting to access.

Authentication

The identity provider authenticates the user using a variety of methods, including:

  1. Biometric authentication
  2. Kerberos
  3. Mobile authentication
  4. Multi-factor authentication
  5. Password-based authentication
  6. Public key infrastructure (PKI)
  7. Secure remote password (SRP)
  8. Smart cards or hardware tokens
  9. Secure sockets layer and transport layer security SSL/TLS

Generation of SAML assertion

The identity provider generates a SAML assertion, also referred to as a security token, after the user is authenticated.

Return to service provider

The identity provider transparently redirects the user’s browser back to the service provider with the SAML assertion.

Assertion verification

The service provider verifies the SAML assertion.

User access granted

If the SAML assertion is valid and trusted, the service provider extracts the user’s identity and attributes from the assertion and grants the user access to the requested service. Then, the user can interact with it without further authentication.

Session establishment

In some cases, a session is established between the user and the service to maintain the user’s authentication state. This allows users to access additional resources within the same session without reauthenticating.

Types of SAML providers

There are two types of security assertion markup language (SAML) providers—identity providers and service providers. The interaction between these two types of providers allows a user to authenticate once at an identity provider and gain access to multiple service providers without reauthenticating.

Identity providers

Identity providers manage the user authentication process. After a user is successfully authenticated, an identity provider issues SAML assertions that contain user identity and attributes.

Service providers

Service providers offer the service or resource the user wants to access. A service provider receives identity information provided by an identity provider, verifies it, and if valid, grants the user access to the resource.

Hybrids

In some cases, a single entity acts as an identity provider and a service provider.

Specialized providers

Specialized providers combine aspects of identity providers and service providers. For instance, federated identity providers serve as intermediaries between different organizations’ identity providers and service providers to support cross-domain authentication and access.

A federated identity provider establishes trust relationships and enables single sign-on (SSO) across federated environments.

What is a SAML assertion?

A security assertion markup language (SAML) assertion is an XML document that provides a standardized method to exchange authentication and authorization data. The standardization of SAML assertions facilitates interoperability between different identity providers and service providers. Because of this, SAML is widely used to provide secure, cross-domain web-based authentication and authorization.

The SAML assertation package includes information about users’ identities, attributes, and entitlements, which the service provider uses to control access to resources. To provide protection for this sensitive information during transmission, SAML assertions are secured through digital signatures and optionally encrypted.

There are three types of statements (i.e., assertions) that can be made in a SAML assertion:

  1. Authentication assertions confirm the identity provider has authenticated a user. This assertion includes information about how and when the authentication occurred, such as the time of authentication and the method used (e.g., password, two-factor authentication).
  2. Attribute assertions provide specific pieces of data about the user, such as their name, email address, job title, role within an organization, or other attributes relevant to the service providers’ user case. The service provider uses this information for a number of reasons, including to make authorization decisions and personalize the user experience.
  3. Authorization decision assertions specify whether the user is allowed to access a particular resource or service provided by the service provider and under what conditions.

Security assertion markup language use cases

The following are several of a wide range of use cases for security assertion markup language (SAML). Most require the support SAML provides for secure, seamless access to multiple services.

Business-to-business (B2B) transactions

  1. B2B integration platforms facilitate the seamless exchange of data and services among businesses
  2. Business partners to access shared resources in partner portals, such as documentation, training materials, or sales tools
  3. Employees’ access to cloud-based services, such as email, customer relationship management (CRM), or project management tools
  4. Organizations collaborating on research and development projects share access to specific applications or databases
  5. Supply chain management teams access the information systems of their suppliers, distributors, or logistics providers for sensitive information like inventory levels, order statuses, and shipping details

Education and research institutions

  1. Administrators, faculty, students, and authorized guardians access student information systems (SIS) with student records, enrollment, grades, and other critical administrative functions
  2. Library database access to digital library resources, including journals, eBooks, and academic databases, which may be hosted by different providers
  3. Research institutions collaborate on projects, requiring access to shared data repositories, computational tools, and other resources
  4. Students access online exams and proctoring
  5. Students and faculty access to learning management Systems (LMS) to manage course content, assignments, and assessments
  6. Students, faculty, and researchers access educational and research materials from various providers and institutions

Financial services

  1. Customers access their accounts through mobile banking applications
  2. Financial transactions such as loan processing, risk assessments, and insurance claims between banks, insurance companies, and other financial institutions
  3. Joint services delivered through partnerships, such as automated teller machines (ATMs) and payment systems
  4. Online financial services portals, investment platforms, payment gateways, and financial management tools
  5. Online transactions through secure payment gateways

Government and public sector

  1. Different government agencies share data and collaborate on projects securely with interagency access to shared systems and databases
  2. First responders and emergency management officials have immediate access to critical information systems and communication networks
  3. Government employees and citizens access various government portals for services such as tax filing, benefit applications, and license renewals
  4. Government-run healthcare and social service platforms provide access to healthcare records, benefit management systems, and social service applications

Healthcare systems

  1. Electronic health records (EHR) access by patients, doctors, nurses, and other healthcare staff
  2. Health information exchanges (HIE) for sharing of health information (e.g., patient care, billing, and health records) across different healthcare organizations (e.g., hospitals, insurance companies, and different healthcare providers)
  3. Insurance companies and healthcare providers provide access to insurance portals where patients and providers can view coverage details, submit claims, and access insurance documents
  4. Patients access telehealth services from different providers
  5. Pharmacists and healthcare providers have access to pharmacy management systems and prescription drug databases
  6. Researchers and clinicians access platforms for clinical trials and medical research to share research data, patient information, and study results across institutions and research teams

SAML addresses authentication and authorization friction

By streamlining authentication and authorization, SAML enables easy but secure access to resources regardless of owner or location. SAML adoption has proliferated because of its benefits to enterprises and service providers. The frictionless access to multiple services with a single set of credentials while maintaining security, privacy, and interoperability across different systems and domains makes it desirable for some organizations.

Unleash the power of unified identity security

Mitigate cyber risk across the spectrum of access

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief