*How SAML works *
SAML (Security Assertion Markup Language) is an XML-based protocol for Single Sign-On. The core idea: instead of every app managing its own login, one trusted system (the IdP) handles authentication and vouches for you to other apps (SPs) via a signed XML token.
There are two flows — SP-initiated (most common — user hits the app first) and IdP-initiated (user starts from an IdP portal). The diagram below shows SP-initiated.
Core actors
SP (Service Provider) — the app the user wants to access. It trusts the IdP but cannot authenticate users itself.
IdP (Identity Provider) — the central auth system (Okta, Azure AD, Google Workspace). It knows who the user is.
Principal — the end user being authenticated.
Key messages
AuthnRequest — XML request from SP to IdP saying "please authenticate this user." Contains an AssertionConsumerServiceURL (where to send the response back).
SAMLResponse — XML sent back from IdP to SP, containing one or more Assertions.
Assertion — the actual claim inside the response. Three types:
Authentication assertion — "this user logged in at time X"
Attribute assertion — "this user's email is x@y.com, role is admin"
Authorization assertion — "this user is allowed to do Y" (rare)
Binding types (how messages travel)
HTTP Redirect binding — used for the AuthnRequest; base64-encoded and sent as a URL query parameter. Small messages only.
HTTP POST binding — used for the SAMLResponse; sent as an HTML form POST. Can carry large XML payloads.
*Security concepts
*
Signature — the IdP digitally signs the assertion using its private key. SP validates using IdP's public certificate. This is what prevents forgery.
ACS URL (Assertion Consumer Service URL) — the SP endpoint that receives the SAMLResponse. Must be registered on the IdP to prevent redirect attacks.
Entity ID — unique identifier for the SP or IdP (usually a URL). Used to look up metadata.
Metadata XML — a file exchanged between SP and IdP during setup containing certificates, URLs, and supported bindings.
Relay State — an opaque value that carries where the user originally wanted to go, so SP can redirect them there after login.
NotBefore / NotOnOrAfter — time constraints on the assertion to prevent replay attacks.
Top comments (0)