What is SAML?

🔐 Overview of SAML

SAML enables secure login between systems by exchanging authentication data called assertions.

Key Components

• 📌 IdP (Identity Provider): Handles the actual login and authenticates the user.
• 📌 SP (Service Provider): The web service or app the user wants to access.
• 📌 Assertion: An XML document that conveys the authentication result from the IdP.

🔁 SAML Communication Flow

SAML flows through the browser between SP and IdP using SAMLRequest and SAMLResponse messages.

Main Steps

• ➡️ User accesses the SP (e.g., internal portal).
• ➡️ SP generates a SAMLRequest and redirects the user to the IdP.
• ➡️ User logs in to the IdP.
• ➡️ IdP generates a SAMLResponse and sends it back to the SP via browser.
• ➡️ SP verifies the SAMLResponse and logs the user in.

📨 SAMLRequest

AuthnRequest from SP to IdP. Sent as Base64-encoded XML via Redirect or POST.

Overview

• 🔍 Sent from SP to IdP (AuthnRequest) via Redirect or POST.
• 🔍 Base64-encoded XML string.
• 🔍 Signature may be required depending on IdP policy.

Example

Minimal AuthnRequest (signature/encryption omitted).

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="_req123" Version="2.0" IssueInstant="2024-01-01T00:00:00Z"
    Destination="https://idp.example.com/sso" AssertionConsumerServiceURL="https://sp.example.com/acs">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.example.com/metadata</saml:Issuer>
</samlp:AuthnRequest>

Base64 / Redirect example

In HTTP-Redirect, the AuthnRequest is Base64-encoded (often Deflate-compressed) and sent as a query parameter.

https://idp.example.com/sso?SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBJRD0iX3JlcTEyMyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMjQtMDEtMDFUMDA6MDA6MDBaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9pZHAuZXhhbXBsZS5jb20vc3NvIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vc3AuZXhhbXBsZS5jb20vYWNzIj48c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cHM6Ly9zcC5leGFtcGxlLmNvbS9tZXRhZGF0YTwvc2FtbDpJc3N1ZXI+PC9zYW1scDpBdXRoblJlcXVlc3Q%3D

📄 SAMLResponse

Response from IdP to SP. Usually signed; assertions may be encrypted.

Overview

• 🔍 Sent from IdP to SP; usually signed (and often includes encrypted Assertion).
• 🔍 Base64-encoded XML, typically delivered via POST.
• 🔍 Must match InResponseTo/Destination and timing conditions.

Example

Minimal Response (signature/encryption omitted).

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="_res123"
    IssueInstant="2024-01-01T00:00:05Z" Destination="https://sp.example.com/acs" InResponseTo="_req123">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com/metadata</saml:Issuer>
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_assert123" IssueInstant="2024-01-01T00:00:05Z">
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@example.com</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData Recipient="https://sp.example.com/acs" InResponseTo="_req123"
          NotOnOrAfter="2024-01-01T00:05:05Z" />
      </saml:SubjectConfirmation>
    </saml:Subject>
  </saml:Assertion>
</samlp:Response>

Base64 / POST example

HTTP-POST binding sends a Base64-encoded response in a form (example data is shortened).

<form method="post" action="https://sp.example.com/acs">
  <input type="hidden" name="SAMLResponse" value="PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm4... (Base64 response)..." />
  <input type="submit" value="Send" />
</form>

🌐 Where SAML is Used

Typical scenarios where SAML shines, especially for enterprise SSO between different services.

Common Use Cases

• ✅ Single sign-on between internal systems and cloud apps.
• ✅ Connecting Google Workspace or Microsoft 365 to external tools.
• ✅ Sharing login sessions across multiple services.