What is SAML & How Does SSO Authentication Work?

Javed Shah

SAML and SSO work together to create a more accessible and more secure login for users. But how, exactly, do these methods work?

What is SAML SSO? SAML is an overarching standard that includes single sign-on (SSO). SAML can activate SSO.

What Is Security Assertion Markup Language (SAML)?

SAML is an open, XML-based protocol that uses a token exchange system to support organizations’ single sign-on (SSO) capabilities. The goal is to provide a secure and flexible foundation for enterprise business applications to authenticate users across different platforms and user portals.

The depth of the SAML protocol, particularly with the advent of SAML 2.0 in 2015, provides several ways for developers and administrators to leverage secure communication protocols to share these tokens. However, the core model of the SAML SSO system is relatively straightforward.

The entire solution creates an authentication relationship between the user and two entities:

  • Service Provider: The application or platform to which the user tries to gain access.
  • Identity Provider: The organization managing identities and credentials for service providers and users.

An example is an employee attempting to log into an HR application (the service provider) using a connected Google Workspace ID (the identity provider). The identity provider manages authentication across several service providers to support full federated authentication and identity management.

Accordingly, the structured communication between service and identity providers is supported by SAML “assertions” or XML tokens. Thus there is a general flow of operations between stakeholders:

  • User Interaction: A user engages a login page from the service provider. The provider page generates a SAML request, which is given to the browser in the form of an XML token which then redirects the browser to the identity provider. This request can come from an authentication query, an attribute query, or an authorization query.
  • SAML Request to Identity Provider: The user provides their authentication credentials to the provider (which may include single- or multi-factor authentication).
  • Authentication with Identity Provider: Upon successful identity verification, the provider returns an XML authentication token to the user’s browser. This token can include various information, depending on the authentication relationship with the service provider, but will at least demonstrate the user is legitimate.
  • Return to Service Provider: The browser redirects back to the service provider site or application. After the token is parsed, the service provider gives the user access to their system.

SAML is typically used for authentication, whereas other protocols (like 0Auth) handle authorization within the system. However, SAML information can and is often used as a way to define user privileges.

Benefits of SAML SSO

SAML is one of the most deployed SSO technologies on the market due in no small part to its ease of deployment and robust feature set.

Some of the benefits of SAML SSO include:

  • Stronger Authentication Security: SAML SSO provides a single point of authentication for multiple systems. This reduces the attack surface of multiple systems by centralizing authentication security and minimizing human factors to vulnerabilities (such as reusing passwords or using simple passwords).
  • Improved User Experience: Speaking of the user experience… On average, users have about 100 passwords they keep at any given time. SSO is a critical technology in providing a simpler and more intuitive authentication experience for enterprise users, and it can navigate the variety of cloud applications typically used.

Additionally, it reduces the chances that shared passwords between enterprise and consumer accounts open your systems to attack.

  • Efficient Credential Management: Having a centralized method of managing identities and authentication, particularly one managed by experts as a service, can reduce costs in terms of security, compliance, and infrastructure management.
  • Open Standardization: SAML has wide adoption because it is an open standard, meaning that many providers and authentication applications will integrate it with their systems.

What Is SAML 2.0?

The first version of SAML (1.0) was somewhat limited in scope and application, but the next incremental upgrade (version 1.1) became an industry-standard in 2003 and provided several critical updates. Soon after (in 2005), version 2.0 was ratified by the Organization for the Advancement of Structured Information Standards (OASIS).

For most business and private users, the details of SAML 2.0 are quite technical. However, the specification made a few key advances that have impacted how it is deployed. These include:

  • Workflow: In the SAML 2.0 model described above, the service provider-initiated authentication for the user. In SAML 1.1, this process is reversed, with the identity provider sending the request.
  • Binding: In SAML terminology, “binding” is the process of mapping SAML assertions and messages to standard protocols, namely HTTP. This allows applications, like a web browsers, to pass SAML assertions between sites or apps. SAML 2.0 made binding much more flexible to empower the robust use of SAML across programs.
  • Identity Federation: The Liberty Alliance (a now-defunct group dedicated to internet standards) developed the Identity Federation Framework (ID-FF) to support authentication from different devices using the service provider/identity provider model. The Liberty Alliance donated the ID-FF standard to OASIS to serve as the foundation for SAML 2.0.

Get the Most Out of SAML SSO with 1Kosmos BlockID

Single Sign-On is a critical part of modern authentication and security. As such, 1Kosmos has tightly integrated SAML SSO into the overall BlockID platform. This means you can utilize SSO within an advanced authentication framework that includes passwordless security, decentralized identity management, and compliant identity assurance.

With 1Kosmos BlockID, you get the following benefits:

  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user.
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

Sign up for a free trial to give our Identity-Based Authentication a try!

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.