Security Assertion Markup Language (SAML) is an open-standard protocol used to communicate authentication/authorization data between a ServiceProvider (SP) and an IdentityProvider (IdP). It uses XML to transmit messages, consequently the messages are more complex than OAuth/OIDC and less flexible in their structure.
Whilst SAML works great at providing server-side applications with Single-Sign-On (SSO), it does not support API access natively, and the specification doesn't contain mechanisms to allow public clients (those without the ability to hold secure values) such as Single-Page Applications (SPA) to authenticate securely.
Which Side of the Story
There are two sides to the SAML protocol: SAML Identity Provider (IdP) and SAML Service Provider (SP).
In short,
- A SAML Identity Provider is an entity that issues authentication assertions about a user
- A SAML Service Provider is an entity that uses the authentication assertions issued by an Identity Provider to control access to services
The Rock Solid Knowledge SAML component provides both Service Provider and Identity Provider implementations, allowing you to implement both side of the protocol.
SAML Identity Provider
As a SAML Identity Provider, you can allow SAML Service Providers to integrate with your SSO environment. The Rock Solid Knowledge SAML component builds on your underlying OIDC framework/Server to enable this functionality. SAML acts as an additional GrantType, using a Clients OAuth Scopes to drive data access, so no additional management is required. The OIDC and SAML share a single session so the end-user only has to login once, regardless of SSO protocol.
SAML Service Provider
As a SAML Service Provider, you can federate with external SAML Identity Providers. The Service Provider functionality is standalone, and can be used with or without a OIDC framework.
In this role, your application will use the external SAML Identity Provider for authentication, in the same way as if you were offering functionality such as “login using Google”. The external service holds the credentials, and you send and receive SAML requests/responses.
As the ServerProvider side of the component uses the built-in .NET authentication pipeline, all the SAML interactions are abstracted away, see Understanding Authentication Handlers for more information.
Acting as both SP and IdP
You can also combine the two approaches and act as both a SAML Service Provider and SAML Identity Provider while supporting other protocols such as OpenID Connect and OAuth.