Security Assertion Markup Language (SAML)

Security Assertion Markup Language (SAML)

Modern authentication often takes place over the web. And the Security Assertion Markup Language, SAML, allows browser-based single-sign-on across a variety of web systems. There are three actors in a SAML request.


This is the end-user who wants to use web-based services. In SAML terms, the end-user is known as the principal.

Identity provider

This is the organization providing the proof of identity, usually the end user’s employer, school, or another account provider. This organization is known as the identity provider.

Service provider

This is a web-based service that the end-user wishes to access. This organization is known as the service provider.

How does It work in the non-authenticated scenario?

Here’s how web-based single-sign-on works using SAML.

1- The principal (end-user) requests access to a resource from the service provider.

2- The service provider checks to see if the user already has a logged-in session, and if so, just skips ahead and grants access.

3- In the case, the principal is not logged in, the service provider redirects the user to the single-sign-on service from the user’s identity provider.

4- The user then tries to authenticate to the identity provider using a username and password or other authentication technique. The key here is that the user must authenticate directly to the identity provider.

5- The identity provider then creates an XHTML form customized for the service provider.

6- The user then has to use this form to request what is called a security assertion from the service provider.

7- This assertion request includes proof of identity from the identity provider.

8- The service provider then validates the request, and creates a security context with the desired service, and redirects the user to that service.

9- The user then requests that desired service and the resource service responds by granting access.

There are two huge benefits to this approach.

1- After the user authenticates once to the identity provider, that authenticated session may last for a period of time specified by the identity provider. During that time period, the user does not need to re-authenticate, providing a true single-sign-on experience.

2- the service provider may use the identity provider’s authentication without gaining access to the user’s password, which remains a shared secret between the user and the identity provider.




Android Lead | Senior Mobile Engineer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

IPv6 Up and Running — Address Planning Basics and using a Tunnel Broker


The Cost of GDPR Compliance

{UPDATE} O$P$ (Owe Money Pay Money) Hack Free Resources Generator

Serverless Threat Modelling 🚀


Open Invitation to Share Cyber Threat Intelligence on APT29 for Adversary Emulation Plan and…

{UPDATE} Wordsearch Revealer Sky Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Mahmoud Eltaher

Ahmed Mahmoud Eltaher

Android Lead | Senior Mobile Engineer

More from Medium

Making Share My Trip Feature much more robust.

Managing Confluence Permissions

What Are Microservices

Why API Integration?