Try Business for freedownload
Blog
Recent
Blog
Recent
Industry News
LastPass For Admins
LastPass Labs
Product Updates
Tips And Tricks
bg
Security Tips

What Is SAML? The Complete Guide to Security Assertion Markup Language

LastPassPublishedJune 05, 2024
What Is SAML and How Does It Work? Definition and explanation of SAML Basics of SAML operations SAML architecture and components How SAML enables secure single sign-on (SSO) Benefits of SAML Streamlined user experience with SSO Enhanced security through token-based authentication Reduced administrative overhead with centralized identity management Implementing SAML: Best Practices Choosing a reliable SAML provider Configuring SAML for seamless integration Ensuring compatibility with different applications and services How SAML Works in Real-World Scenarios Step-by-step: The SAML authentication workflow How SAML integrates with popular applications Common challenges and SAML troubleshooting tips Enhancing Security with SAML: Best Practices Implementing multi-factor authentication (MFA) with SAML Securing SAML assertions and preventing tampering Summing Up SAML What is SAML? FAQWhat is SAML used for?Is SAML outdated?What are the basic roles of SAML?Is SAML better than LDAP?

Understanding SAML: A Comprehensive Guide 

Security assertion markup language (SAML) is an authentication standard that lets users access multiple applications or services with a single set of login credentials.  

Combined with single sign-on, SAML helps businesses reduce security risk and improve the end-user experience. But what is SAML, exactly? And how does it benefit your business? We've got you covered with the complete guide to SAML. 

What Is SAML? The Complete Guide to Security Assertion Markup Language

What Is SAML and How Does It Work? 

Definition and explanation of SAML 

SAML simplifies the authentication process by allowing users to authenticate once and access multiple web services or applications.  

SAML is based on the eXtensible markup language (XML), which is designed to store and transport data. XML on its own doesn't perform any operations — instead, it provides a way to exchange data between applications. While XML can exchange multiple data types, SAML was built specifically to transfer authentication data between two parties: An identity provider (IdP), and a service provider (SP). The service provider is the application or service that a user wants to access. The identity provider is a trusted third-party that securely stores user authentication data and verifies this data upon request.  

It's also worth noting that SAML authentication is open standard. This means it's not owned or operated by a single company — instead, companies are free to deploy and modify SAML to suit their needs. The current version of SAML is SAML 2.0. 

Basics of SAML operations 

When a user requests access to a service, the service provider (SP) generates a SAML message and sends it to the identity provider (IdP). The user is then redirected to a secure login site and asked to provide their credentials. Once these credentials are verified, the IdP sends a SAML response, and the service grants access to the user. 

Under the SAML 2.0 standard, there are three types of SAML messages, also known as assertions: Authentication statements, attribute statements, and authorization decision statements. 

Authentication statements indicate if a user has been successfully authenticated. These assertions include details about why the decision to authenticate (or not) was reached, along with timestamps of the decision-making process. 

Attribute statements provide details about users, such as their role in the organization and their basic contact information. These statements can be customized on a per-application basis.  

Finally, authorization decision statements include details about what actions users can take and what information they can access. 

SAML architecture and components 

There are four key components in SAML architecture: Users, service providers, identity providers, and assertions. Here's a look at each in more detail. 

Users 

Users are employees or customers attempting to access services. For example, employees might request access to collaboration or operations apps, while customers might request access to purchase histories or e-commerce accounts.  

Service providers (SPs) 

Service providers are the owners and operators of applications. In the example above, your company might own in-house operations apps, while a cloud-based provider might supply your collaboration software. 

Identity providers (IdPs) 

Identity providers are trusted partners that accept SAML requests from SPs and authenticate users. If employees request access to cloud-based collaboration apps, the SP sends an SAML request to the connected IdP and awaits their response. 

Assertions  

Assertions are messages sent between SPs and IdPs to approve or deny user authentication requests. The first assertion sent is from the SP to the IdP requesting authentication. The IdP then processes the authentication request and returns a SAML assertion.  

Here's how it works in practice. First, users request access to a service. The SP sends an SAML request to the company's chosen IdP. The IdP processes the authentication request and returns a SAML assertion. If authentication is approved, the user is granted access and can also access other services that use the same IdP without the need to re-authenticate.  

How SAML enables secure single sign-on (SSO) 

Single sign-on (SSO) is a process that allows users to sign-on once and use multiple applications. SAML is one way to streamline this process.  

Traditionally, SSO relied on authentication tokens only visible within a single domain, such as a corporate intranet or a connected set of services from the same provider. As a result, SSO was limited in scope — if users attempted to access apps outside the domain, further authentication was required. 

SAML trades domain-specific processes for centralized identity management, in turn allowing greater flexibility for users and increased security for organizations.  

Consider a user attempting to access data from an in-house financial application. Using SSO, they confirm their identity within the domain of the organization and are authorized for use. To make use of this data, however, they also need to access a secure, external web service provided by a trusted third party. Under traditional SSO, users are required to authenticate for access every time they leave one domain and move into another. Using SAML, however, makes it possible for staff to authenticate once and use that authentication across multiple service providers.  

Benefits of SAML 

Common benefits of SAML include enhanced security, streamlined user experiences, and reduced operational overhead.  

Streamlined user experience with SSO 

SAML allows users to access multiple applications and services without the need to reauthenticate, in turn limiting workflow disruptions. Consider an employee who authenticates for an internal application and then requests access from an external provider. Without SAML, the employees must stop what they're doing to reauthenticate, which wastes time and can lower productivity.  

Using SAML, employees can access multiple services using a single login. 

Enhanced security through token-based authentication 

This single login approach is made possible in part by token-based authentication. When IdPs confirm user identities, they issue encrypted digital tokens allowing users to access their requested application and other applications connected to the IdP.  Unlike usernames and passwords, which apply only to the application in use, tokens are session-based, which means they persist across applications. 

Once a user logs out of their employee account or shuts down their device, the session is terminated.  

Reduced administrative overhead with centralized identity management 

Managing multiple sets of login and authentication data across internal and external applications can be time-consuming and costly. With a SAML approach, meanwhile, identity data is centrally managed by an IdP to reduce administrative overhead. 

Implementing SAML: Best Practices 

Choosing a reliable SAML provider 

As noted above, SAML is open standard, meaning it costs nothing to purchase. Depending on the complexity of your IT environment and the number of applications and services used by staff, however, implementation may be time-consuming or costly. 

To help streamline the process, it's worth selecting a reliable identity provider. Characteristics of a great provider include support for multiple applications, the ability to customize authentication conditions, and options to integrate additional apps and services as business needs evolve.  

Configuring SAML for seamless integration 

Seamless integration of SAML is also critical. If the deployment of SAML processes interrupts user workflows or leads to significant delays or latency, the impact may outweigh the benefit. As a result, it's worth selecting SAML solutions that are easy to configure and simple to scale.  

Ensuring compatibility with different applications and services 

In 2023, business departments used an average of 87 SaaS apps, a 27% increase from 2022. And this number is only growing as businesses look to implement emerging solutions such as AI and machine learning.  

To ensure companies can keep pace with increasing application diversity, SAML deployments must prioritize compatibility with different applications and services. This includes cloud-based applications, those that live on the edge, and those used exclusively in-house.  

How SAML Works in Real-World Scenarios 

Theory provides a basic understanding, but what is SAML like in the real world?  

Step-by-step: The SAML authentication workflow 

First, let's break down the SAML authentication workflow step-by-step. Consider the example of an employee requesting access to an approved third-party application as part of their day-to-day responsibilities. 

Step 1: The user opens the application (SP) and enters their login credentials.  

Step 2: The SP sends a SAML request to the registered IdP asking for authentication.  

Step 3: The IdP compares the credentials provided to the credentials stored in its database and makes an authentication decision. 

Step 4: The results of this decision are sent to the service provider via SAML assertion. 

Step 5: If users are authenticated, they are granted access to the application. If they are not authenticated, access is denied. 

Step 6: When users access another app in the same session, the SP makes a request. The IdP confirms that the user still has a valid token and grants access.   

How SAML integrates with popular applications 

Because SAML is an open standard, it can be modified by businesses to integrate with any application. For example, suppose companies prefer to act as their own identity provider for internal app requests. In that case, they can choose to invest the time and resources into creating and maintaining the infrastructure necessary to support service provider requests. 

In the case of an external IdP, businesses are best served looking for providers that both support commonly used applications and are willing to integrate new applications on request.  

Common challenges and SAML troubleshooting tips 

As noted by OWASP, common security challenges with SAML include eavesdropping, theft of user authentication information, and theft of bearer tokens. To help mitigate these challenges, OWASP recommends the use of digitally signed messages with certified keys. This helps reduce the risk of spoofed SAML requests or assertions that could lead to security compromise.  

Enhancing Security with SAML: Best Practices 

While SAML provides a way to streamline authentication and reduce risk, there are steps that companies can take to further enhance SAML security and protect sensitive user data during SAML transactions. Two best practices include: 

Implementing multi-factor authentication (MFA) with SAML 

MFA provides an additional layer of security for SAML by combining what a user knows with something they have. Consider a staff member requesting access to an HR application. This app (the SP), asks for user login data and sends an SAML to the IdP. The IdP verifies the credentials (what the user knows) and sends them a text code or push notification (something they have) to confirm their identity. 

Securing SAML assertions and preventing tampering 

To prevent potential SAML tampering, encryption is key. All messages and assertions should include end-to-end encryption to reduce the risk of eavesdropping or stolen tokens. IdPs should also periodically ask for additional verification details to ensure that user accounts have not been compromised. 

Summing Up SAML 

What is SAML? 

SAML is an XML-based approach to improved authentication. Using SAML to connect service and identity providers allows users to access multiple services with a single set of login credentials, and centralizes the authentication process to reduce IT overhead. Most importantly, however, SAML enables SSO without compromising security, provides users with streamlined access to applications, and allows companies to scale up application authentication to meet growing service demand.  

See how SAML can help streamline your security process. Start your LastPass trial here.

FAQ

What is SAML used for?

SAML is based on XML (eXtensible Markup Language) and provides a standardized way to exchange authentication and authorization data between an identity provider (IdP) and service provider (SP).

This standardization enables Single Sign-On (SSO) functionality, so users only need a single set of credentials to access multiple resources.

Is SAML outdated?

No, SAML isn’t outdated. However, it’s increasingly considered a legacy protocol in the context of API access authorization within web and mobile applications.

In contrast, lightweight protocols like OAuth 2.0 and OIDC are less resource-intensive and offer better support for mobile and API use cases.

What are the basic roles of SAML?

The basic roles of SAML are:

  • Streamlining user access to multiple applications and services without the need to authenticate to each, saving time and increasing productivity levels
  • Providing secure and continued access to resources throughout an entire session
  • Reducing administrative overhead with centralized identity management

Is SAML better than LDAP?

No, SAML isn’t better than LDAP. Ultimately, both can be integrated to facilitate secure access to cloud resources.

For example, identity providers (IdP) can use LDAP directories to retrieve data for SAML cloud-based authentication.

On a platform like Mattermost, the LDAP directory manages user identities and access permissions for the organization, while SAML enables Single Sign-On (SSO) to cloud resources.

LDAP synchronization with SAML ensures every change in the LDAP directory is reflected in the SAML user authentication process.

Share this post via:share on linkedinshare on xshare on facebooksend an email

Related blog posts

Cover Image for How Enterprise Password Management Helps MSPs Expand Into Emerging Markets
Industry News
How Enterprise Password Management Helps MSPs Expand Into Emerging Markets
March 21, 2025 • By Shireen Stephenson
Cover Image for Xfinity Password Reset Guide
Security Tips
Xfinity Password Reset Guide
March 19, 2025 • By Shireen Stephenson
Cover Image for The Future of Cybersecurity: 5 Things to Expect at RSA Conference 2025
Industry News
The Future of Cybersecurity: 5 Things to Expect at RSA Conference 2025
March 18, 2025 • By Shireen Stephenson
bg

Get started with LastPass Business

14-day free LastPass Business trial. No credit card required.