Modern authentication often takes place over the web. And the Security Assertion Markup Language, SAML, allows browser-based single-sign-on across a variety of web systems. There are three actors in a SAML request.
This is the end-user who wants to use web-based services. In SAML terms, the end-user is known as the principal.
This is the organization providing the proof of identity, usually the end user’s employer, school, or another account provider. This organization is known as the identity provider.
This is a web-based service that the end-user wishes to access. This organization is known as the service provider.
How does It work in the non-authenticated scenario?
Here’s how web-based single-sign-on works using SAML.
1- The principal (end-user) requests access to a resource from the service provider.
2- The service provider checks to see if the user already has a logged-in session, and if so, just skips ahead and grants access.
3- In the case, the principal is not logged in, the service provider redirects the user to the single-sign-on service from the user’s identity provider.
4- The user then tries to authenticate to the identity provider using a username and password or other authentication technique. The key here is that the user must authenticate directly to the identity provider.
5- The identity provider then creates an XHTML form customized for the service provider.
6- The user then has to use this form to request what is called a security assertion from the service provider.
7- This assertion request includes proof of identity from the identity provider.
8- The service provider then validates the request, and creates a security context with the desired service, and redirects the user to that service.
9- The user then requests that desired service and the resource service responds by granting access.
There are two huge benefits to this approach.
1- After the user authenticates once to the identity provider, that authenticated session may last for a period of time specified by the identity provider. During that time period, the user does not need to re-authenticate, providing a true single-sign-on experience.
2- the service provider may use the identity provider’s authentication without gaining access to the user’s password, which remains a shared secret between the user and the identity provider.