SAML

IdP & SP
Security Assertion Markup Language (SAML) is an open standard that allows
identity providers (IdP) to pass authorization credentials to service providers (SP).
What that jargon means is that you can use one set of credentials to log into many
different websites. It’s much simpler to manage one login per user than it is to
manage separate logins to email, customer relationship management (CRM)
software, Active Directory, etc.

What is SAML
SAML simplifies federated authentication and authorization processes for users,
Identity providers, and service providers. SAML provides a solution to allow your
identity provider and service providers to exist separately from each other, which
centralizes user management and provides access to SaaS solutions.

SAML implements a secure method of passing user authentications and

authorizations between the identity provider and service providers. When a user
logs into a SAML enabled application, the service provider requests authorization
from the appropriate identity provider. The identity provider authenticates the
user’s credentials and then returns the authorization for the user to the service
provider, and the user is now able to use the application.

SAML authentication is the process of verifying the user’s identity and credentials
(password, two-factor authentication, etc.). SAML authorization tells the service
provider what access to grant the authenticated user.
SAML transactions use Extensible Markup Language (XML) for standardized
communications between the identity provider and service providers. SAML is the
link between the authentication of a user’s identity and the authorization to use a
service.

SAML enables Single-Sign On (SSO), a term that means users can log in once, and
those same credentials can be reused to log into other service providers.

SAML works by passing information about users, logins, and attributes between
the identity provider and service providers. Each user logs in once to Single Sign
On with the identify provider, and then the identify provider can pass SAML
attributes to the service provider when the user attempts to access those services.
The service provider requests the authorization and authentication from the
identify provider. Since both of those systems speak the same language – SAML –
the user only needs to log in once.

Each identity provider and service provider need to agree upon the configuration
for SAML. Both ends need to have the exact configuration for the SAML
authentication to work.
SAML Example
1. User logs into SSO.
2. User then tries to open the webpage to his CRM.
3. The App – the service provider – checks User credentials with the identity
provider.
4. The identity provider sends authorization and authentication messages back to
the service provider, which allows User to log into the App.
5. User can use the App and get work done.

SAML vs. OAuth

OAuth is a slightly newer standard that was co-developed by Google and
Twitter to enable streamlined internet logins. OAuth uses a similar methodology as
SAML to share login information. SAML provides more control to enterprises to
keep their SSO logins more secure, whereas OAuth is better on mobile and uses
JSON.
Facebook and Google are two OAuth providers that you might use to log into other
internet sites.