SAML (Security Assertion Markup Language)

SAML (Security Assertion Markup Language) is an XML-based open standard that enables secure transmission of authentication and authorization information between applications operating under different domain names. SAML forms the foundation of single sign-on (SSO) solutions, allowing users to access multiple services with a single authentication.

Core Components and Operation

SAML architecture consists of three main components:

• User (Subject): The individual carrying the identity credentials.
• Identity Provider (IdP): The system that authenticates the user’s identity (e.g., Active Directory Federation Services).
• Service Provider (SP): The web service the user wishes to access (e.g., email application, intranet portal).

Operation Steps (SSO Scenario)

1. The user attempts to access the service provider directly.
2. The service provider redirects the user to the identity provider.
3. The identity provider authenticates the user and generates a SAML assertion.
4. The assertion is transmitted to the service provider via the user’s browser.
5. The service provider validates the assertion and grants the user access.

SAML Assertion

The fundamental communication unit in SAML is called an assertion. An assertion contains three types of data:

• Authentication Statement: Specifies when and by what method the user was authenticated.
• Attribute Statement: Contains user-specific information such as name, surname, and role.
• Authorization Decision Statement: Grants access permission to a specific resource (optional).

Assertions are protected using XML digital signatures and are typically short-lived (e.g., five minutes).

Advantages and Use Cases

Advantages

• SSO convenience: Enables access to multiple applications with a single login.
• Platform independence: Ensures interoperability across web-based applications.
• Security: Communication is secured through XML signatures and HTTPS.
• Centralized identity management: Users are managed from a single point.

Use Cases

• Enterprise applications: Access to services such as SAP, Salesforce, and Office 365.
• Universities: Academic identity federations based on Shibboleth.
• e-Government systems: Access to multiple government services using a single identity.
• Cloud service providers: Federation support on platforms such as AWS and Azure.

SAML 2.0 Compared with OAuth2 / OpenID Connect

• Use Case:
• • SAML 2.0 is preferred in enterprise environments and browser-based applications (e.g., email systems, intranet portals).
  • OAuth2 / OpenID Connect is more common in modern web applications and systems operating on mobile devices.
• Data Format:
• • SAML uses XML-based messages.
  • OAuth2 / OIDC uses the lighter and developer-friendly JSON format.
• Transport Protocol:
• • SAML typically transmits data via HTTP POST or HTTP Redirect.
  • OAuth2 / OIDC uses JSON/HTTPS over RESTful APIs.
• Session Management:
• • SAML provides robust and detailed session management features, particularly suited for enterprise scenarios.
  • OAuth2 / OIDC offers more flexible session management but often requires greater developer control in specific implementations.
• Complexity:
• • SAML has a more complex structure due to XML signing, certificate validation, and assertion processing.
  • OAuth2 / OIDC is less complex and offers faster implementation for modern applications.

Challenges and Criticisms

• Complex structure: Its XML-based nature and signing processes can complicate application integration.
• Mobility incompatibility: Integration with mobile devices is difficult; this is why OpenID Connect is more frequently chosen in modern systems.
• Redirect management: Ensuring correct user redirection and assertion validity requires precise configuration.

SAML is a mature standard that forms the foundation of secure and centralized authentication systems widely used in enterprise environments. It delivers effective solutions in areas requiring high security, such as enterprise applications, academic federations, and e-government services.