This article looks at the SAML protocol, how it works, the involved parties, and where it fits in the evolution of identity and access management<\/a> (IAM).<\/p>\n\n\n\n Table of Contents<\/strong><\/p>\n\n\n\n The Security Assertion Markup Language (SAML) manages transactions between web service providers and identity providers using the Extensible Markup Language (XML). These communications on the backend of username and password<\/a> login processes ensure users get authenticated by the overarching identity manager and authorized to use the given web service(s).<\/p>\n\n\n\n A foundational piece of the digital access puzzle is the difference between authentication and authorization. Authentication confirms user identity<\/strong>, and authorization grants specific rights<\/strong> to a web application, user, or device.<\/p>\n\n\n\n Read more<\/strong>: Best Privileged Access Management (PAM) Software<\/a><\/p>\n\n\n\n Service providers and identity managers play a critical part in the federation process, allowing users access to specific data.<\/p>\n\n\n\n The exponential growth of applications<\/a> serving consumer to enterprise IT needs and wants means a universe of service providers. Service providers are the organizations and web services offered to users through a valid request. Application and software developers<\/a> are responsible for establishing the necessary backend database<\/a> and protocol for storing and accepting user account credentials.<\/p>\n\n\n\n Popular service providers include top business application vendors like SAP<\/a>, Microsoft<\/a>, Oracle, Adobe, Google<\/a>, and Salesforce<\/a>.<\/p>\n\n\n\n Identity managers offer organizations a system wherein a set of credentials can merge to become a federated identity for a specific user to access applications across platforms. Like directory services, organization administrators can control access to particular data with network user identity management.<\/p>\n\n\n\n Examples of popular enterprise identity provider systems include Microsoft and Azure Active Directory<\/a> (AD), Lightweight Directory Protocol (LDAP), and Google Suite, while other vendors include Oracle, Okta<\/a>, OneLogin<\/a>, and Auth0.<\/p>\n\n\n\n Also read<\/strong>: Best Zero Trust Security Solutions<\/a><\/p>\n\n\n\n Whereas web service providers have long played the role of identity managers, the emergence of identity providers offers users convenient access for storing credentials and, therefore, access to a list of accounts. SAML is the federated authentication and authorization process in this split of responsibilities, simplifying communication between parties.<\/p>\n\n\n\n Read more<\/strong>: How Machine Identities Can Imperil Enterprise Security<\/a><\/p>\n\n\n\n OAuth is also an example of a language web service providers use to communicate on behalf of users and applications, but they address different sides of the authorization-authentication coin.<\/p>\n\n\n\n SAML is a standard managing identity management and federation, including systems like SSO. OAuth is a pure authorization protocol that pairs with OpenID Connect (OIDC), which handles authentication.<\/p>\n\n\n\n SAML might be the more trusted and mature protocol of the two; however, OIDC is a newer authentication protocol designed for mobile and web applications. Another notable difference between the two languages is OAuth\u2019s use of the JSON Web Token (JWT). While SAML uses XML, JWTs are more lightweight, self-contained, and include a digital signature for independent verification without the authorization server.<\/p>\n\n\n\n While SAML 2.0 remains widely in use, the growth of OAuth 2.0 paired with OIDC means it isn\u2019t deployed nearly as much.<\/p>\n\n\n\n Learn more<\/strong> about OAuth 2.0 with OAuth: Our Guide to Industry Authorization<\/a>.<\/p>\n\n\n\n In 2001, the Organization for the Advanced for Structured Information Standards (OASIS) began work on what would become an industry-first XML framework for exchanging authentication and authorization data. A year later, SAML 1.0 would become an official OASIS standard. In 2005, OASIS released 2.0, which gained widespread appeal for web developers and service providers by the end of the decade.<\/p>\n\n\n\n While SAML 2.0 led the way, the first two iterations of OIDC, OpenID, were released in 2006 and 2007 as alternative authentication protocols. The launch of OAuth 1.0 in 2010 and OAuth 2.0 two years later meant third parties<\/a> had a deliberate protocol for authorizing secure, user-agent, delegated access. Rather than dealing with a separate protocol for authentication needs, the release of OpenID Connect in 2014 gave developers an added layer fulfilling initial access across accounts.<\/p>\n\n\n\n Despite the recent prevalence of OAuth and OIDC for authentication and authorization, SAML 2.0 remains a widely offered and used protocol for enterprise organizations.<\/p>\n\n\n\n Also read<\/strong>: Best Next-Generation Firewall (NGFW) Vendors<\/a><\/p>\n\n\nWhat is SAML?<\/strong><\/h2>\n\n\n\n
Context: Authentication vs. Authorization<\/strong><\/h3>\n\n\n\n
Service Providers and Identity Managers<\/strong><\/h2>\n\n\n\n
Service Providers<\/strong><\/h3>\n\n\n\n
Identity Managers<\/strong><\/h3>\n\n\n\n
How Does SAML Work?<\/strong><\/h2>\n\n\n\n
Why is SAML Important?<\/strong><\/h2>\n\n\n\n
![\"A](\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/03\/ESP.MicrosoftSAMLGraphic-1024x561.png\")
OAuth vs SAML<\/strong><\/h2>\n\n\n\n
IAM History: SAML in Context<\/strong><\/h2>\n\n\n\n