Security Assertion Markup Language (SAML) is an open-source standard that allows separate parties to exchange authorization data between them. It allows users to access a third party service using credentials managed by a separate identity provider.
Here is an example to clarify this:
Let’s suppose that you are working as an employee for an organization. Normally, you would have your own credentials. You use your credentials every time you want to access your company’s applications. So far, everything is good.
But in reality, things are more complicated than this. What if your company decides to subscribe to a third-party software service (Let’s say, cloud-based)?
So now in order for you to access the new software, your organization would have to share your credentials with this software provider. This would be bad, as it would expose confidential information from your organization to third-parties that are not necessarily providing assurance as to their security controls.
Another solution would be to create another set of credentials that you can use specifically for this new service. But this would be impractical, especially if your company decides to use additional services from other providers.
This is exactly where SAML comes into play. Your company, which holds your identity, can communicate authorization tokens to the service provider whenever you try to log into their software.
So basically, you log in only once to your account within your organization. Every time you try to access a software belonging to a third-party, your company exchanges the authentication and authorization data with the service provider. Simply put, your company tells the third-party that you are who you say you are, and that you are authorized to use the service that you are requesting.
This way of authenticating is called SSO (Single Sign-On). It means that after you log in once, you can use different applications and services without having to log in again.
As we have seen in our example, using SAML requires three actors:
- The Identity Provider : In our example, your company is the identity provider. It is the one that stores and manages your identity. In some other cases, companies can also use a third-party identity provider (Identity as a service – IDaaS).
- The service Provider : This is the third-party software provider that you try to log in to. It relies on the identity provider to determine if it should grant you access or not.
- The principal : This is the user, which means you.
Another way of doing things
OAuth is another newer standard that is comparable to SAML. The main difference between the two resides in the environment in which we use them. SAML is used in enterprise environments, whereas OAuth is used mainly in websites and mobile apps, with Google being the major OAuth provider.