SAML (Security Assertion Markup Language) is an XML-based framework for cross-domain single sign-on. SAML is an open standard defined by OASIS.
- Basically, SAML defines three roles:
- Principal: An entity (typically a user) signing in to one or more applications.
- IDP (Identity Provider): The entity which authenticates the principals.
- SP (Service Provider): One of the applications to which the principals sign in.
Throughout this documentation, we use the terms principal and user as synonyms.
- A typical scenario for a user trying to access a service on the SP:
- If the principal has not yet been authenticated at the SP, it is redirected by the SP to the IDP.
- The IDP authenticates the user.
- The IDP issues a SAML assertion for the principal.
- The SAML assertion is validated in the SP and access to the service is granted.
A SAML assertion issued by the IDP can only be used to access a specific SP.