What Is SAML?

How does SAML work?

SAML uses a single login page, with its own identity store and various authentication rules, to enable users to log into all web apps from one screen with one password. This means users aren't forced to maintain and reuse passwords for each app they need to access to, and passwords aren't potentially exposed to these or other third-party apps.

SAML functions through some key technologies that happen behind the scenes, including:

• Identity provider: The tool or service that performs the authentication and invokes two-factor authentication, such as Duo Access Gateway.
• Service provider: The web app in which users are trying to gain access.
• SAML assertion: A message that asserts a user's identity and other identifying factors, sent via browser redirects.

The Basics of SAML

What are the benefits of SAML?

SAML simplifies login experiences for users, strengthens security, and reduces costs and complexity for service providers. People can securely re-use the credentials they already have for many different applications.

What role do users play in SAML?

The SAML process is briefly visible to users through web browser redirects, but they do not have to configure or manage anything. Because SAML happens behind the scenes, users can just enjoy the simplified login experience it provides.

How do service providers use SAML?

Service providers offer the applications that users want to access. They configure their applications to establish and trust SAML connections through one or more identity providers.

What do identity providers do?

Identity providers handle authentication requests and pass identity and authorization information back to service provider applications. The Cisco Security Technology Alliance program includes several third-party identity providers.

Does SAML support multi-factor authentication?

Yes, technologies like Duo multi-factor authentication and Duo single sign-on work together to simplify and secure the login experience through SAML.

SAML-related terms to know

Identity federation

Identity federation is the process of delegating authentication responsibility to trusted identity providers. SAML and similar technologies, like OAuth and Web Services Federation (WS-Fed), rely on identity federation to securely re-use existing credentials in multiple applications.

SAML assertions

SAML assertions are the statements an identity provider sends to a service provider that contain authentication, attribute, or authorization decision information. For example, a SAML assertion can provide either a Yes (authenticated) or No (authentication failed) response to a service provider.

Single sign on (SSO)

SSO is a way to sign into multiple applications while entering login credentials only once. With Duo SSO, for example, users can log in to a single, MFA-protected dashboard to gain access to all of their applications, both cloud-based and native.

SAML tokens

SAML tokens are XML-formatted documents that contain the claims or SAML assertions that one entity makes about another. For example, an identity provider can claim or assert that a user is indeed who they say they are. Its security token service digitally signs the SAML token as proof to the service provider.

Lightweight Directory Access Protocol (LDAP)

LDAP is an open standard used to access directory information over an IP network. While SAML and LDAP are both authentication protocols, they function differently and are used for different purposes. For example, LDAP is often used for on-premises authentication, while SAML extends user credentials to cloud applications.