Security Assertion Markup Language (SAML) is a common XML framework that applies to the exchange of authentication and authorization information between an identity provider (IdP) and a service provider (SP). SAML is a federated identity protocol that enables web browser Single Sign-On (SSO) through three main roles:

  • The principal, typically it is a user.

  • The identity provider (IdP), which is a system or administrative domain that provides claims, that is asserts information, about an authentication, authorizations, and authorization about a subject.

  • The service provider (SP).

    Additional SAML components:

  • Subject. Identifies the subject of a SAML assertion and is typically the principle or user being authenticated.

  • Assertions. During the flow between the IdP and the SP, the authentication request and response is comprised of assertions. Assertions are a statement of fact or trust about the subject. Statements may be one of the following types:

    • Authentication statement. A statement created by the party that successfully authenticates the subject.

    • Attribute statement. A statement that returns specific attribute information about the subject.

    • Authorization decision statement. A statement that provides the entitlements or permissions a subject has.

  • RelayState. Assertions may include RelayState. This is an HTTP parameter that can be included as part of the SAML request and SAML response. When the request and response completes, the SP can use the RelayState information to get additional context about the initial SAML authentication request. It is carried through the binding and used to point to the resource initially requested before the authentication.

  • Bindings. SAML bindings detail exactly how the various SAML protocol messages can be carried over underlying transport protocols such as HTTP. This is the primary means for communicating assertions. The bindings defined by SAML V2.0 are HTTP Redirect and HTTP POST.

    • HTTP Redirect. Uses an HTTP redirect message to redirect the subject's request to the IdP for authentication. This redirect is mostly done when a user attempts to access a SP resource in which they have not been authenticated. An HTTP (302) redirect message is generated and an authentication request is sent to the IdP for authentication.

    • HTTP POST. This is the method used to send the response back to the Assertion Consumer Service (ACS) of the SP. The HTTP POST assertion is signed and includes the RelayState so the SP knows the initial resource that was requested. Metadata: The schema of the configuration.

Enterprise Application Access supports:

  • For SAML response, only POST SAML binding.
  • For SAML request, both POST or Redirect SAML binding.

SAML's functionality starts with a service request from the principal to the SP. The SP requests and obtains an identity assertion from the IdP. The IdP may request some information from the principal, such as a username and password or multi-factor authentication (MFA), in order to authenticate the principal. On the basis of this claim, the SP makes an access control decision for the principal's request.

In SAML, one IdP may provide SAML assertions to many SP. Similarly, one SP may rely on and trust assertions from many independent IdPs. IdP sources of authentication typically include directory services such as LDAP, or Active Directory (AD) that allow users to log in with a username and password.