← Lessons

quiz vs the machine

Gold1400

System Design

SAML Federation

XML based identity assertions exchanged between providers via the browser.

6 min read · core · beat Gold to climb

Federating trust between organizations

SAML, security assertion markup language, is an XML based standard widely used for enterprise single sign on. It lets a service provider trust identities authenticated by a separate identity provider, so employees log in once with their corporate account.

The assertion

The core artifact is a SAML assertion, an XML document signed by the identity provider. It states who the user is, when it was issued, and how long it is valid. The service provider verifies the digital signature against the identity provider's certificate, establishing trust without a direct password exchange.

SP initiated flow through the browser

A common pattern is service provider initiated sign on:

  • The user visits the service provider and is redirected to the identity provider.
  • The identity provider authenticates the user and produces a signed assertion.
  • The browser relays that assertion back to the service provider, often by an auto submitting form.

Because the browser carries the assertion, the two providers never need a direct network link. Trust rests entirely on the signature and exchanged certificates.

Key idea

SAML federates login by having an identity provider issue signed XML assertions that the browser relays to a service provider, which trusts them via signature verification.

Check yourself

Answer to earn rating on the learn ladder.

1. What does the service provider verify to trust a SAML assertion?

2. How does the assertion typically travel between providers in SP initiated flow?