What is SAML?

Security Assertion Markup Language, abbreviated to SAML, is a protocol for authentication and authorization data exchange mainly used in the context of Single Sign-On and Federation. Like the JSON Web Token - which it predates - SAML helps transmit what are called “assertions” about a particular individual or in general. Assertions are like claims in JWT and could be similar to tell another site or server that the customer in question possesses the requisite credentials and the same have been verified. For a simpler understanding of SAML based authentication for web services, think of a scenario where universities under one umbrella accept students from the other counterpart universities to come and take classes whenever they want. The parent university would just have to issue one identity card which can be checked and validated across all the cooperating universities without the student being asked to enroll again. The identity card contains the student’s essential attributes and, more importantly, can be trusted by other institutions to be genuine. SAML is a protocol that serves a purpose similar to that of the identity card.

SAML was developed by a group of companies, the Security Services Technical Committee, for the Organization for the Advancement of Structured Information Standards (OASIS) primarily to communicate authentication and attribute information. Like JSON Web Token is based on the JSON data format, SAML is built on XML.

Where is SAML used and where can it be used?

Listerine was first invented as a surgical antiseptic but years later found itself being used as a mouthwash. Some things have a knack of finding their way to their real greater purpose though conceived for something else. SAML isn’t in that category yet because it continues to be used for what it was designed: communication of user authentication information. More specifically, SAML is primarily used in the Web Single Sign-On context where website customers are to be relieved of multiple login requirements to access resources. For instance, SAML can be used in a scenario where a customer has already logged into a website and is seeking access to a partner website. Without asking the customer to login again, the first website communicates to the second through SAML that the customer is already authentication and genuine and so can be granted access. SAML is also particularly useful in enterprise Single Sign-On scenarios and not just Web Single Sign-On.

Is there a SAML example assertion?

We’ll get to the example in a bit but first it would be apt to define how SAML is generally used. At the basic level, SAML is defined using assertions, binding and profile.

A SAML assertion conveys certain things about the subject - in most cases the subject is a customer seeking access - which are sufficient for a service provider to grant access.

Following it, SAML protocols helps service providers to make certain requests,

SAML binding defines how SAML protocols are to be transmitted within other protocols while SAML Profile is just how SAML is to be used in contexts like Web Single Sign-On.

A SAML assertion or the SAML token format, which is like the core information about the subject, in turn contains multiple sections within. A high level structure, as defined by OASIS, would comprise of sections about the issuer, the signature, the subject, the conditions and the authentication statement.

Is SAML the best protocol around? Who wins SAML vs JWT vs OAuth?

Again, it’s a pretty subjective question and there is no clear winner. SAML is used for Single Sign-On and Federated Identity Management where secure authentication by a separate identity provider is the key requirement. Social Login, however, employes OAuth which is more of an authorization protocol. In cases where a service provider is simply allowing customers to login using their social identities, SAML could be used for Social Login as well. But it is generally not because service providers tend to add social functionalities to their applications, for instance, adding PII from the social profile, which is about authorization and something that is beyond SAML and something that OAuth does much better. Plus, OAuth can also carry out authentication duties so SAML becomes a bit of a misfit there.

As far as Web Single Sign-On is concerned, SAML is widely used throughout. JSON Web Token is a competitor which is implemented in similar use cases. They key difference is that JWT is based on the JSON data format while SAML is based on XML. XML is more of an enterprise suited language with lots of options while JSON is very compact format that is more apt for lightweight web applications. So in cases of simple websites, JWT would score better but when it comes to enterprise grade web applications, SAML would be a better candidate.