What is security assertion markup language (SAML)?

Let’s take a closer look at Security Assertion Markup Language or more commonly known as SAML. Have you been wondering what the fuss is about and whether this protocol can work for you? Let’s begin.

SAML (Security Assertion Markup Language) is an XML-based, open standard data format for exchanging authentication and authorization data between parties. It’s a powerful tool for identity and access management. What does that mean?

Identity and access management (IAM) is the art and science of letting users into an application. IAM systems maintain data about individuals that’s used to grant access to applications and resources. IAM systems provide authentication and authorization services using the identity data they maintain.

While SAML shares some traits with tools like OAuth, SAML is much more than just an SSO protocol. The deep communication between the identity provider and service provider leads to a much richer potential level of functionality than just shared authorization: it enables federation.

Federation is a trust relationship between two organizations or identity providers, and the SAML protocol helps to build that relationship. For example, CowLove.us is an online dating/breeding service for cattle. Mana Creek Station is a cattle rancher. These two companies form a federation using SAML. Now when a Mana Creek manager logs into the Mana Creek Station corporate network, its identity provider can use SAML to assert the identity of the manager to CowLove.us to log into their web service as well, without having to register or manage separate CowLove.us accounts for their employees. The big advantage: not having to manage multiple accounts and credentials for each user. A welcome security bonus: since SAML doesn’t share authentication information between the applications, credentials are safer.

It’s important to understand what SAML (Security Assertion Markup Language) is NOT:

• SAML is NOT an actual identity provider. It is a standard for communication between identity providers and service providers.
• SAML is NOT a federated identity system. A federated identity system is a method for the linking of digital identities across more than one identity management system. It can be used to implement a federated identity system.
• SAML does NOT share authentication information between applications. OAuth (a competing authorization standard) delegates identities permissions between applications. SAML provides a way to communicate with a central identity store from several applications.

Security Assertion Markup Language is best at providing a standard backbone for the creation of a federated identity system. It’s a protocol, so it can integrate with existing identity products — whether that’s an application that needs an access control system, or an identity provider that needs to provide access control to a diverse set of applications.

SAML is not good at being simple. Security Assertion Markup Langauge is a sophisticated, complex standard, and it is used in sophisticated, complex products. In situations when simple authentication is needed, there are probably other simpler standards that would be more useful, such as OpenID or OAuth. Before making a choice, identify the requirements for your system, and evaluate which tool is best for you.