The Guide to Security Assertion Markup Language (SAML)

Security Assertion Markup Language (SAML) is a standardized XML-based markup language used by security service providers and identity authentication providers to exchange data. For a quick overview, read more.

What is security assertion markup language (SAML)?

Security Assertion Markup Language (SAML) is the industry standardized markup language used by cybersecurity providers and services to exchange data for authentication. For example, when a person signs in to their Gmail account, it’s SAML that allows Google to then use your Gmail authentication to allow your browser to view and manage associated Google accounts like Google Analytics or your Google My Business listing.

SAML is XML-based, so it’s native to web browsers, web applications, data centres, and cloud data warehouse environments. Per Wikipedia:

“SAML defines XML-based assertions and protocols, bindings, and profiles. The term SAML Core refers to the general syntax and semantics of SAML assertions as well as the protocol used to request and transmit those assertions from one system entity to another. SAML protocol refers to what is transmitted, not how (the latter is determined by the choice of binding). So SAML Core defines “bare” SAML assertions along with SAML request and response elements.”

There are different versions of SAML, including:

SAML 1.0
SAML 1.1
SAML 2.0
ID-FF 1.1
ID-FF 1.2

How is security assertion markup language used?

Security assertion markup language is used to share authentication data between an identity provider and other service providers. Like the example above, have you ever noticed how signing in to your Gmail once then allows you access to many Google properties, tools, dashboards or accounts? That’s generally described as a Single Sign-On (SSO). SSO relies on an authentication process that uses the code language of SAML to allow your browser to “speak” with different servers and data sources, confirming and authenticating your identity along the way.

SAML is used by Google, Facebook, Amazon, and all sorts of popular web-based companies for account authentication. It’s also used by thousands of companies to provide employees secure access to documents and data. For example, medical testing companies are able to provide employees secure access to data warehouse information, thanks to SAML.

What are typical SAML elements?

There are three basic elements of SAML: Assertions, Protocols, and Bindings.

What are assertions for SAML?

Per XML.org: “An assertion is a package of information that supplies one or more statements made by a SAML authority… An assertion consists of one or more statements. For single sign-on, a typical SAML assertion will contain a single authentication statement and possibly a single attribute statement. Note that a SAML response could contain multiple assertions, although it’s more typical to have a single assertion within a response.”

What are protocols for SAML?

Per XML.org: “SAML defines a number of request/response protocols. These protocols allow service providers to: 1) Request or query for an assertion, 2) Ask for a subject to be authenticated, 3) Create and manage name identifier mappings (for federating identities through account linking), 4) Request a near-simultaneous log out of a collection of related sessions (“single logout”)…”

What are bindings for SAML?

Per XML.org: “Mappings from SAML request-response message exchanges into standard messaging or communication protocols are called SAML protocol bindings… The SAML SOAP Binding, for instance, defines how SAML protocol messages can be communicated within SOAP messages, whilst the HTTP Redirect binding defines how to pass protocol messages through HTTP redirection.”

What’s an SAML example?

A common example of SAML enabled application will be Gsuite. Let us say Gsuite is Service Provider (SP) and Okta is an Identity Provider (Idp). The user’s identity will be passed from the Identity Provider to the Service provider, which can be done by a digitally signed XML document. SAML carries users’ identity information and provides access for the application(G-Suite) without knowing the password user will get access to the application. Trust is established between IDP and SP. This enables the communication between IDP and SP will know what to expect in order provide the session access to the resource that id is entitled for.

Is there a security assertion markup tutorial?

There are lots of SAML tutorials out there. Here’s one from Centrify, a Privileged Access Management solution that we often recommend to clients: Click to view

Types of SAML solutions and tools

In general, all Identity and Access Management solutions are going to use SAML. Whether you’re looking for a Single Sign-On Solution (SSO), Multi-Factor Authentication Solution (MFA), Managed Security Operations Center (SOC), or Managed Security Services Provider (MSSP), they’re all going to be using SAML somewhere along the way. Here are a few of the service providers we frequently implement for clients:

Do I need a Managed Security Service Provider near me?

Maybe. The most important factor is experience and effective workflow, whether in-person, on-site, virtual, or off-site. That said, we think working with a Managed Security Service Provider (MSSP) near you is an advantage. This will allow your MSSP to better communicate with existing IT teams, and better understand your current information architecture. A non-local MSSP becomes a good option if they follow security best practices, and have an established virtual workflow. Why? Location is less significant when virtual workforce tools are effectively https://sennovate.com/services/managed-security-service/adopted by consultant and client, whether a small business or global enterprise. Plus, on-site MSSPs can become costly. Bottom line, look for an MSSP who offers an excellent communication process, clear workflow, and custom security solution for your business.

Have questions about finding a Managed Security Service Provider?
Email [email protected] or call (925) 918-6618

The 5-Minute Identity and Access Management Tutorial

Privileged Access Management Requirements in 2020

The Insider’s Guide to Okta Adaptive MFA Pricing

The Guide to Modern Types of Multi-Factor Authentication

How to Get an Accurate Okta Quote

How to Migrate to Okta from Oracle Access Manager

Managed SOC Tutorial in 5 Minutes

About Sennovate

Sennovate delivers custom identity and access management solutions to businesses around the world. With global partners and a library of 1000+ integrations, we implement world-class cybersecurity solutions that save your company time and money. We offer a seamless experience with integration across all cloud applications, and a single price for product, implementation, and support. Have questions? The consultation is always free. Email [email protected] or call us at: (925) 918-6618