Learn more about Microsoft Security
Microsoft identity and access
Explore comprehensive identity and access solutions from Microsoft.
Safeguard your organization with a seamless identity solution.
Simplify access to your software as a service (SaaS) apps, cloud apps, or on-premises apps.
Protect your organization against breaches due to lost or stolen credentials.
Enforce granular access control with real-time adaptive policies.
Prebuilt app integrations
Use prebuilt integrations to connect your users more securely to their apps.
Identity and access blog
Stay current with the latest thought leadership in identity and access management.
SAML includes the following components:
- Identity service providers authenticate and authorize users. They provide the sign-in page where people enter their credentials and enforce security policies, such as requiring multifactor authentication or a password reset. Once the user is authorized, the identity providers pass the data to service providers.
- Service providers are the apps and websites that people want to access. Instead of requiring people to sign into their apps individually, service providers configure their solutions to trust SAML authorization and rely on the identity providers to verify identities and authorize access.
- Metadata describes how identity providers and service providers will exchange assertions, including endpoints and technology.
- Assertion is the authentication data that confirms to the service provider that the person that is signing in has been authenticated.
- Signing certificates establish trust between the identity provider and the service provider by confirming that the assertion wasn’t manipulated while traveling between the two providers.
- The system clock confirms that the service provider and the identity provider have the same time to protect against replay attacks.
SAML offers the following benefits to organizations, their employees and partners:
- Enhanced user experience. SAML enables organizations to create a single sign-on experience so that employees and partners sign in once and gain access to all their apps. This makes work easier and more convenient because there are fewer passwords to memorize, and employees don’t have to sign in every time they switch tools.
- Improved security. Fewer passwords reduce the risk of compromised accounts. Plus, security teams can use SAML to apply strong security policy to all their apps. For example, they can require multifactor authentication to sign in or apply conditional access policies that limit which apps and data people can access.
- Unified management. By using SAML, tech teams manage identities and security policies in one solution rather than using separate management consoles for each app. This significantly simplifies user provisioning.
SAML is an open standard XML technology that allows identity providers, like Azure Active Directory (Azure AD) to pass authentication data to a service provider, such as a software as a service app.
Single sign-on is when people sign in once and then gain access to several different websites and apps. SAML enables single sign-on, but it’s possible to deploy single sign-on with other technologies.
Lightweight directory access protocol (LDAP) is an identity management protocol that is used for authentication and authorization of user identities. Many service providers support LDAP, so it can be a good solution for single sign-on, however, because it’s an older technology it doesn’t work as well with web applications.
SAML is a newer technology that is available on most web and cloud applications, making it a more popular choice for centralized identity management.
Multifactor authentication is a security measure that requires people to use more than one factor to prove their identity. Typically, it requires something that the individual has, like a device, plus something that they know, like a password or PIN. SAML enables tech teams to apply multifactor authentication to multiple websites and apps. They can choose to apply this level of authentication to all the apps integrated with SAML or they can enforce multifactor authentication for some apps but not others.