SAML is an XML based standard for the information exchange between two parties, which allows cross domain SSO over web. It allows a user to sign on multiple affiliated websites without having to authenticate on every website, even though affiliated websites have different sign on mechanism.
SAML is actually designed for business to customer and business to business. There are three main components of SAML and they are:
- Assertion: Defines the structure and information being transferred
- Authentication: Authentication assertion validates the user.
- Attribute: It contains the information about the user.
- Authorization: It identifies what user is supposed to do.
- Protocol: The component Protocol defines how an assertion is requested by and sent to a service provider.
- Binding: It defines the communication protocols (like SOAP, HTTP), which is being used to transport the SAML.
- Metadata:It defines how configuration information is shared between two parties like public key information.
At least two parties are involved to implement Single Sign On. One is known as Identity Provider (IdP) and another is known as Service Provider (SP). A single IdP may serve to the multiple SPs. SAML supports two flows to initiate Single Sign On.
- IdP Initiated: When a user directly visits the identity provider web site, then this flow comes into existence. In this case:
- User visits IdP website directly and web site asks for the credentials to authenticate the user.
- If the credentials are correct, user is logged into the IdP website.
- By the moment, user visits any of the affiliated site, SAML response is sent to the service provider and user is automatically logged into SPs website.
- SP Initiated: This flow comes into existence when user starts with SPs websites and in this case:
- User comes to SPs website.
- SP redirects the user to IdP with SAML authentication request.
- User is authenticated and logged in at IdP site.
- SAML response is sent back to SP’s assertion consumer service and user is logged into SPs website.
Why SAML is being popular
Many of websites do have their affiliated services, for example a hotel booking website does have a link of travel website as well. But for user it will be little tedious task to create credentials for hotel booking first and he/she is also interested to visit the travel website he/she has to follow the registration process again to have access.
However, with SAML the user has to sign in only first website and he would be automatically sign into another.