Security Assertion Markup Language (SAML) Authentication

Security Assertion Markup Language (SAML) works by passing information about users, logins, and attributes shared between the identity provider and service providers. A SAML is an XML-based open standard for exchanging authentication and authorization data between the Identity Provider (IdP) and a Service Provider (SP).

SP Initiated SAML Authentication Flow

The SP-initiated workflow illustrates that SP creates a SAML request and forwards the user and the request to the IdP.

IdP Initiated SAML Authentication Flow

The IdP initiated workflow involves a user sending the request to the IdP, and then being forwarded to the SP along with the SAML message containing an assertion.

Processing Steps

The following are the processing steps:

1. First, the user requests access to a protected SP resource this request is redirected to the federation server to handle authentication.
2. Then, the IdP sends an HTML form back to the browser with a SAML request for authentication from the IdP. The HTML form is automatically posted to the IDP's SSO service.
3. If the user is not already logged on to the IdP site or if re-authentication is required, the IdP asks for credentials (For example, ID and password) and the user logs on.
4. Additional information about the user may be retrieved from the user data store for inclusion in the SAML response. (These attributes are predetermined as part of the federation agreement between the IdP and the SP)
5. The IdP's SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.
6. SAML specifications require that the POST responses be digitally signed. If the signature and the assertion are valid, the SP establishes a session for the user and redirects the browser to the target resource.