Authentication Fundamentals

SAML — Your Questions, Answered


Software as a Service (SaaS) applications are revolutionizing how we access and use software. These online-only, cloud-based apps make it easier to share information, get updated functionality, manipulate, and distribute data. One issue SaaS apps have, however, is with security. Users can connect over any network, on whatever device they are using to their SaaS apps, bypassing traditional security controls that would normally exist on corporate networks and managed devices.

This is where Security Assertion Markup Language (SAML) came from — it’s a way to understand and authenticate users in a safe and reliable way, minimizing the risk of data breaches, credential theft, and identity issues. Here are our answers to the questions people commonly have about SAML.

What is SAML?

SAML is designed to allow software applications to identify users clearly and without doubt. It uses authentication techniques to ensure only authorized users can access specific apps and data. It’s effectively a “single sign on” for SaaS applications — users only need to input their credentials once, then security software grants them access to all of the SaaS apps they are authorized to access.

SAML is based on the popular XML (Extensible Markup Language) protocol which lets organizations securely verify and transfer authenticated user identities between them. It involves three main parties:

  • The user, who enters their authentication information
  • An Identity Provider (IDP), like an employer or independent verification service
  • A Service Provider (SP) who develops and provides access to the SaaS application

The combination of these three parties makes it much easier to authenticate someone as being able to access a particular system or application, since businesses can use robust security such as multi-factor authentication for the initial login process.

How Does SAML Work in Practice?

The user starts by signing into their single sign on system as normal. The identity provider (normally the IT department of the employer’s business)  has federated software that tracks this login which comes into play and authorizes the user.

When a user wants to access a specific SaaS application, the federated software then communicates with similar software at the SaaS service provider to let them know the login is authentic. This is sent as a special, tokenized, digitally signed, XML document.

When you’re looking to connect to cloud applications, consider SAML and other protocols that form the backbone of cloud security.

Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.
Authentication Fundamentals
Multi-Factor Authentication and Single Sign-On Explained
Authentication Fundamentals
Stopping a Microsoft Office 365 Attack — What Are Your Options?
Authentication Fundamentals
EU General Data Protection Regulations. What You Need to Know