Is SAML an Authentication mechansim?

Question

Is SAML an authentication mechansim. ? I have seen this being written in many places.

As per my understanding SAML is not an authentication mechanism but a way to exchange authentication and authorization data between a service provider and an identity provider. ?

Both Service provider and identity provider have to be SAML compliant or basically understand SAML to take part.

Authentication can be done by any means like oAuth, Form etc. and then SAML exchange happens.

Best Regards,

Saurav

Answer 1

SAML (Security Assertion Markup Language) is an identity federation protocol.

(1) Traditionally a web application utilizes a local data storage (such as MySQL which is used to store username/password credentials) to accomplish the login authentication.

On the other hand, a web application can leverage a third-party SAML Identity Provider (IdP) to accomplish the login authentication if the web application has been integrated with a SAML Service Provider (SP).

(2) Usually a SAML IdP utilizes identity repository (such as OpenLDAP) to provide identity authentication for a SAML SP-enabled web application.

(3) A web application, which has been integrated with a SAML SP, outsources login authentication to a SAML IdP.

Without loss of generality, we assume that the SAML IdP has been configured with OpenLDAP.

A typical SAMP SP-intitiated authentication procedure can be described below.

(I) A user launches a web browser to access a SAML SP-enabled web application.

(II) The user is redirected to a SAML IdP which will prompt username/password login screen. SAML SP sends a SAML request to SAML IdP.

(III) The user submits the username/password credential.

(IV) The SAML IdP leverages OpenLDAP to validate the username/password credential.

(V) The user is redirected back and logged in to the web application if the user has been authenticated by OpenLDAP successfully. SAML IdP sends a SAML response token to federate the user identity (such as username) to SAML SP-enabled web application.

(4) How to build and run Shibboleth SAML IdP and SP using Docker container demonstrates how a SAML IdP utilizes OpenLDAP to provide identity authentication and then federates the user identity (such as username) to a SAML SP-enabled web application, thus accomplishing the login authentication for the web application.

Answer 2

Chapter 1 from SAML Technical Overview, a document published in 2008 and still a good read:

The Security Assertion Markup Language (SAML) standard defines a framework for exchanging security information between online business partners.

...and then Chapter 4 in the same doc

SAML consists of building-block components that, when put together, allow a number of use cases to be supported. The components primarily permit transfer of identity, authentication, attribute, and authorization information between autonomous organizations that have an established trust relationship

Answer 3

Actually SAML is a internet standards based technology to achieve web-based single on.

The actual authentication, which happens at the SAML IdP is out of scope of the specification.

However sometimes implementors do no accurately distinguish between SSO and authentication.