Security Assertion Markup Language, or SAML, is a way to tell third-party applications and services that a user is authenticated. SAML allows an identity provider (IdP) to authenticate users and send an authentication token to the application known as the service provider (SP). SAML enables a single sign-on (SSO) experience for users between any two applications that support SAML protocol and services. This allows SSO to perform secure login functions on behalf of one or more applications.
The two actors in SAML are:
1. Identity Provider
The IdP is a service that stores and verifies user identities. IdPs offer authentication services to third-party service providers, such as websites, apps, or other digital services. They do this by forming the identity and authenticating an end user to the service provider.
2. Service Provider
A SP is a website that hosts applications or services for users. An SP relies on IdP to verify the identity of a user. If a user wants to use an application, the application is the SP.
How does SAML work?
1. A user tries to sign in to a website or application. Here, the website or application is the SP.
2. The SP creates a SAML authentication request and sends it to the user's IdP. SP redirects the user to the IdP.
3. The IdP asks the user to sign in and the user gets authenticated.
4. Once the user is authenticated, the IdP sends a signed SAML response to the SP through the assertion consumer service (ACS) URL.
5. The SP receives and validates the SAML response and the user is granted access to the service.