What is SAML?

Learn how the industry standard protocol, security assertion markup language (SAML), strengthens security measures and improves sign-in experiences.

SAML defined

SAML is the underlying technology that allows people to sign in once using one set of credentials and access multiple applications. Identity providers, like Azure Active Directory (Azure AD), verify users when they sign in and then use SAML to pass that authentication data to the service provider that runs the site, service, or app that the users wish to access.

What is SAML used for?

SAML helps strengthen security for businesses and simplify the sign-in process for employees, partners, and customers. Organizations use it to enable single sign-on, which allows people to use one username and password to access multiple sites, services, and apps. Decreasing the number of passwords that people must memorize is not only easier for them, but it also reduces the risk that one of those passwords will be stolen. Organizations can also set security standards for authentications across their SAML-enabled apps. For example, they can require multifactor authentication before people access the on-premises network and apps, like Salesforce, Concur, and Adobe. 

 

SAML helps organizations address the following uses cases:

 

Unify identity and access management:

By managing authentication and authorization in one system, IT teams can significantly reduce the time they spend on user provisioning and identity entitlement.

 

Enable Zero Trust:

A Zero Trust security strategy requires that organizations verify every access request and limit access to sensitive information to only the people that need it. Tech teams can use SAML to set policies, such as multifactor authentication and conditional access, to all their apps. They can also enable stricter security measures, such as forcing a password reset, when a user’s risk is elevated based on their behavior, device, or location.

 

Enrich the employee experience:

In addition to simplifying access for workers, IT teams can also brand sign-in pages to create a consistent experience across apps. Employees also save time with self-service experiences that let them easily reset their passwords.

What is a SAML provider?

A SAML provider is a system that shares identity authentication and authorization data with other providers. There are two types of SAML providers:

  • Identity providers authenticate and authorize users. They provide the sign-in page where people enter their credentials. They also enforce security policies, such as by requiring multifactor authentication or a password reset. Once the user is authorized, identity providers pass the data to service providers. 
  • Service providers are the apps and websites that people want to access. Instead of requiring people to sign into their apps individually, service providers configure their solutions to trust SAML authorization and rely on the identity providers to verify identities and authorize access. 

How does SAML authentication work?

In SAML authentication, service providers and identity providers share sign-in and user data to confirm that each person who requests access is authenticated. It typically follows the following steps:

  1. An employee begins work by signing in using the login page provided by the identity provider.
  2. The identity provider validates that the employee is who they say they are by confirming a combination of authentication details, such as username, password, PIN, device, or biometric data.
  3. The employee launches a service provider app, such as Microsoft Word or Workday. 
  4. The service provider communicates with the identity provider to confirm that that the employee is authorized to access that app.
  5. The identity providers send authorization and authentication back.
  6. The employee accesses the app without signing in a second time.
     

What is SAML assertion?

SAML assertion is the XML document containing data that confirms to the service provider that the person who is signing in has been authenticated.

 

There are three types:

  • Authentication assertion identifies the user and includes the time the person signed-in and the type of authentication they used, such as a password or multifactor authentication
  • Attribution assertion passes the SAML token to the provider. This assertion includes specific data about the user.
  • An authorization decision assertion tells the service provider whether the user is authenticated or if they are denied either because of an issue with their credentials or because they don’t have permissions for that service. 

SAML vs. OAuth

Both SAML and OAuth make it easier for people to access multiple services without signing in to each one separately, but the two protocols use different technology and processes. SAML uses XML to enable people to use the same credentials to access multiple services, while OAuth passes authorization data using JWT or JavaScript Object Notation.


In OAuth, people choose to sign into a service using third party authorization, such as their Google or Facebook accounts, rather than creating a new username or password for the service. Authorization is passed while protecting the user’s password.

The role of SAML for businesses

SAML helps businesses enable both productivity and security in their hybrid workplaces. With more people working remotely, it’s critical to empower them to easily access company resources from anywhere, but without the right security controls, easy access raises the risks of a breach. With SAML, organizations can streamline the sign-in process for employees while enforcing strong policies like multifactor authentication and conditional access across the apps their employees use.


To get started, organizations should invest in an identity provider solution, like Azure AD. Azure AD protects users and data with built-in security and unifies identity management into a single solution. Self-service and single sign-on make it easy and convenient for employees to stay productive. Plus, Azure AD comes with prebuilt SAML integration with thousands of apps, such as Zoom, DocuSign, SAP Concur, Workday, and Amazon Web Services (AWS).

Learn more about Microsoft Security

Frequently asked questions

|

SAML includes the following components:

  • Identity service providers authenticate and authorize users. They provide the sign-in page where people enter their credentials and enforce security policies, such as requiring multifactor authentication or a password reset. Once the user is authorized, the identity providers pass the data to service providers.
  • Service providers are the apps and websites that people want to access. Instead of requiring people to sign into their apps individually, service providers configure their solutions to trust SAML authorization and rely on the identity providers to verify identities and authorize access.
  • Metadata describes how identity providers and service providers will exchange assertions, including endpoints and technology.
  • Assertion is the authentication data that confirms to the service provider that the person that is signing in has been authenticated.
  • Signing certificates establish trust between the identity provider and the service provider by confirming that the assertion wasn’t manipulated while traveling between the two providers.
  • The system clock confirms that the service provider and the identity provider have the same time to protect against replay attacks.

SAML offers the following benefits to organizations, their employees and partners:

  • Enhanced user experience. SAML enables organizations to create a single sign-on experience so that employees and partners sign in once and gain access to all their apps. This makes work easier and more convenient because there are fewer passwords to memorize, and employees don’t have to sign in every time they switch tools.
  • Improved security. Fewer passwords reduce the risk of compromised accounts. Plus, security teams can use SAML to apply strong security policy to all their apps. For example, they can require multifactor authentication to sign in or apply conditional access policies that limit which apps and data people can access.
  • Unified management. By using SAML, tech teams manage identities and security policies in one solution rather than using separate management consoles for each app. This significantly simplifies user provisioning.

SAML is an open standard XML technology that allows identity providers, like Azure Active Directory (Azure AD) to pass authentication data to a service provider, such as a software as a service app.

 

Single sign-on is when people sign in once and then gain access to several different websites and apps. SAML enables single sign-on, but it’s possible to deploy single sign-on with other technologies.

Lightweight directory access protocol (LDAP) is an identity management protocol that is used for authentication and authorization of user identities. Many service providers support LDAP, so it can be a good solution for single sign-on, however, because it’s an older technology it doesn’t work as well with web applications.

 

SAML is a newer technology that is available on most web and cloud applications, making it a more popular choice for centralized identity management.

Multifactor authentication is a security measure that requires people to use more than one factor to prove their identity. Typically, it requires something that the individual has, like a device, plus something that they know, like a password or PIN. SAML enables tech teams to apply multifactor authentication to multiple websites and apps. They can choose to apply this level of authentication to all the apps integrated with SAML or they can enforce multifactor authentication for some apps but not others.