Security Assertion Markup Language (SAML) is an open federation standard that allows an identity provider (IdP) to authenticate users and then pass an authentication token to another application known as a service provider (SP). SAML enables the SP to operate without having to perform its own authentication and pass the identity to integrate internal and external users. It allows security credentials to be shared with a SP across a network, typically an application or service. SAML enables secure, cross-domain communication between public cloud and other SAML-enabled systems, as well as a selected number of other identity management systems located on-premises or in a different cloud. With SAML, you can enable a single sign-on (SSO) experience for your users across any two applications that support SAML protocol and services, allowing a SSO to perform several security functions on behalf of one or more applications.
SAML relates to the XML variant language used to encode this information and can also cover various protocol messages and profiles that make up part of the standard.
Explore how Oracle uses SAML to increase security with a single click.
Learn about utilizing SAML from on-premises to the cloud.
SAML works by passing information about users, logins, and attributes between the identity provider and SP. Each user authenticates once to an IdP and can then seamlessly extend their authentication session to potentially numerous applications. The IdP passes what’s known as a SAML assertion to the SP when the user attempts to access those services. The SP requests the authorization and authentication from the identify.
A SAML provider is a system that helps users obtain access to a service needed. SAML transfers identity data between two parties, an IdP and a SP. There are two main types of SAML providers:
Identity provider (IdP)—performs authentication and passes the user's identity and authorization level to the service provider (SP). The IdP has authenticated the user while the SP allows access based on the response provided by the IdP.
Service provider (SP)—trusts the IdP and authorizes the given user to access the requested resource. A SP requires the authentication from the IdP to grant authorization to the user and since both of systems share the same language, the user only needs to log in once.
A SAML Assertion is a XML document that the identity provider sends to the SP containing the user authorization status. The three distinct types of SAML Assertions are authentication, attribute, and authorization decisions.
SAML is primarily used to enable web browser single sign-on (SSO). The user experience objective for SSO is to allow a user to authenticate once and gain access to separately secured systems without resubmitting credentials. The security objective is to ensure the authentication requirements are met at each security perimeter.
User experience is extremely important for any application and it must start from the initial moment a user interacts with it. The first activity is generally the login process. If this operation is cumbersome or unintuitive it can diminish the overall experience of using the application. Oracle Identity Cloud Service (IDCS) manages user access and entitlements across a wide range of cloud and on-premises applications and services using a cloud-native, identity as a service (IDaaS) platform acting as the front door into Oracle Cloud for external identities. With this, organizations can enable a zero-trust strategy and establish user identity management as a new security perimeter.