SAML Authentication

About

Security Assertion Markup Language (SAML) is an XML-based open standard for single sign-on (SSO) authentication. It enables secure authentication across multiple applications without requiring users to enter credentials multiple times.

SAML is widely used in enterprise environments for federated identity management and works with Identity Providers (IdP) and Service Providers (SP) to facilitate authentication.

How SAML Authentication Works

User Requests Access
- The user attempts to access a Service Provider (SP) (e.g., a SaaS application like Salesforce).
SP Redirects to IdP
- The SP redirects the user to the Identity Provider (IdP) for authentication.
User Authenticates with IdP
- The user logs in to the IdP (e.g., Active Directory, Okta, Azure AD).
IdP Generates SAML Assertion
- The IdP verifies credentials and creates a SAML assertion (a signed XML document).
IdP Sends SAML Assertion to SP
- The IdP redirects the user back to the SP, passing the SAML assertion.
SP Validates SAML Assertion
- The SP verifies the signature and grants access to the user.

Result: The user is authenticated without needing to re-enter credentials.

Components of SAML

Component

Description

Examples

Identity Provider (IdP)

Authenticates the user and issues SAML Assertions.

Okta, Azure AD, Google Workspace, ADFS

Service Provider (SP)

The application that requests authentication from IdP.

Salesforce, AWS, Office 365

SAML Assertion

The XML-based authentication response sent from IdP to SP.

Contains user details & authentication status.

SAML Request

The authentication request from SP to IdP.

Initiates SSO authentication.

SAML Response

The authentication response from IdP to SP.

Contains the SAML assertion.

Types of SAML SSO Flows

Type

Description

IdP-Initiated SSO

The user logs in at the IdP (e.g., Okta) and is redirected to SP after authentication.

SP-Initiated SSO

The user tries to access an SP (e.g., Salesforce), which then redirects to the IdP for authentication.

SAML Assertion Structure

A SAML Assertion is an XML document that contains user authentication details.

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>https://idp.example.com</saml:Issuer>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@example.com</saml:NameID>
    </saml:Subject>
    <saml:Conditions NotBefore="2025-03-13T00:00:00Z" NotOnOrAfter="2025-03-13T01:00:00Z"/>
    <saml:AuthnStatement AuthnInstant="2025-03-13T00:10:00Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
</saml:Assertion>

Issuer: Identifies the IdP.
Subject: Contains user identity (email, username, etc.).
AuthnStatement: Indicates authentication time and method.
Conditions: Defines validity period.

SAML Integration with Spring Security

Spring Boot 2 vs Spring Boot 3 – SAML Authentication

Feature

Spring Boot 2

Spring Boot 3

SAML Support

Requires Spring Security Extensions

Native SAML2 support in spring-boot-starter-security

Security Configuration

Uses WebSecurityConfigurerAdapter

Uses SecurityFilterChain (Lambda DSL)

Metadata Management

More manual setup

Easier configuration via application.yml

1. Add Dependencies

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-saml2-service-provider</artifactId>
</dependency>

2. Configure SAML Authentication in Spring Boot

Define Security Configuration

@Configuration
public class SecurityConfig {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .anyRequest().authenticated()
            )
            .saml2Login(withDefaults()); // Enable SAML authentication

        return http.build();
    }
}

3. Configure SAML Identity Provider (IdP) Settings

spring:
  security:
    saml2:
      relyingparty:
        registration:
          my-app:
            identityprovider:
              entity-id: "https://idp.example.com"
              verification.credentials:
                - certificate-location: "classpath:idp-certificate.crt"
              single-sign-on-service-location: "https://idp.example.com/sso"

4. Handle SAML Authentication Response

@RestController
@RequestMapping("/auth")
public class SAMLController {

    @GetMapping("/user")
    public Authentication getUser(Authentication authentication) {
        return authentication;
    }
}

When to Use SAML?

SAML (Security Assertion Markup Language) is best suited for scenarios where Single Sign-On (SSO) is required across multiple web applications, especially in enterprise environments.

Use SAML When -

Enterprise SSO for Web Applications
- If we need a central authentication system where users log in once and access multiple web-based applications without logging in again.
- Example: Logging into Salesforce, Workday, or Google Workspace using your organization's credentials.
B2B & Corporate Authentication
- If our business requires federated authentication between different organizations (e.g., partners, suppliers).
- Example: A company allowing its employees to access a supplier’s portal using corporate credentials.
When Using Legacy Systems
- If our organization has older enterprise applications that already support SAML, it's easier to continue using it instead of migrating to a newer authentication standard.
Strict Security & Compliance Requirements
- SAML is widely used in industries with strict compliance regulations like finance, healthcare, and government.
- Example: HIPAA-compliant authentication for a healthcare system.
When we Need a Strong Identity Provider (IdP)
- If our organization has an Identity Provider (IdP) like Okta, Microsoft ADFS, or Azure AD, which manages authentication and issues SAML assertions to web applications.

Avoid SAML When -

For API Authentication: SAML is designed for web-based SSO, not securing APIs. Instead, use OAuth2 for API access.
For Mobile & Modern Apps: SAML uses XML-based messages, which are heavy and complex for mobile apps. Instead, use OpenID Connect (OIDC) for modern authentication.

SAML vs OAuth2 vs OpenID Connect

Feature

SAML (Security Assertion Markup Language)

OAuth2 (Open Authorization)

OpenID Connect (OIDC)

Purpose

Secure Single Sign-On (SSO) for web apps.

Secure API access (authorization).

Secure user authentication for web & mobile.

Best Used For

Enterprise SSO (e.g., logging into Salesforce, Google Workspace).

Granting third-party apps access to APIs (e.g., logging into Spotify with Google).

Modern authentication for web & mobile apps (e.g., "Sign in with Google").

Token Format

XML-based SAML Assertion.

JSON-based Access Token.

JSON-based ID Token (built on OAuth2).

Authentication?

Yes – Verifies user identity.

No – Only grants access to APIs.

Yes – Verifies user identity & provides profile info.

Authorization?

Yes – Grants access to web apps

Yes – Grants access to APIs.

Yes – Grants access to user profile & APIs.

Common Providers

Okta, ADFS, Azure AD, Google Workspace.

Google, Facebook, GitHub, Microsoft, Twitter.

Google, Microsoft, Facebook (OIDC built on OAuth2).

Ideal For

Large organizations & corporate SSO.

APIs, third-party integrations.

Modern web & mobile login (replaces SAML for new apps).

Complexity

Complex (XML-based, needs IdP & SP setup).

Simple for API access, but lacks authentication.

Simple (JSON-based, supports authentication).

PreviousMulti-Factor Authentication (MFA)NextX.509 Certificate Authentication

Last updated 1 month ago

Was this helpful?

SAML Authentication

About

SAML is widely used in enterprise environments for federated identity management and works with Identity Providers (IdP) and Service Providers (SP) to facilitate authentication.

How SAML Authentication Works

User Requests Access
- The user attempts to access a Service Provider (SP) (e.g., a SaaS application like Salesforce).
SP Redirects to IdP
- The SP redirects the user to the Identity Provider (IdP) for authentication.
User Authenticates with IdP
- The user logs in to the IdP (e.g., Active Directory, Okta, Azure AD).
IdP Generates SAML Assertion
- The IdP verifies credentials and creates a SAML assertion (a signed XML document).
IdP Sends SAML Assertion to SP
- The IdP redirects the user back to the SP, passing the SAML assertion.
SP Validates SAML Assertion
- The SP verifies the signature and grants access to the user.

Result: The user is authenticated without needing to re-enter credentials.

Components of SAML

Component

Description

Examples

Identity Provider (IdP)

Authenticates the user and issues SAML Assertions.

Okta, Azure AD, Google Workspace, ADFS

Service Provider (SP)

The application that requests authentication from IdP.

Salesforce, AWS, Office 365

SAML Assertion

The XML-based authentication response sent from IdP to SP.

Contains user details & authentication status.

SAML Request

The authentication request from SP to IdP.

Initiates SSO authentication.

SAML Response

The authentication response from IdP to SP.

Contains the SAML assertion.

Types of SAML SSO Flows

Type

Description

IdP-Initiated SSO

The user logs in at the IdP (e.g., Okta) and is redirected to SP after authentication.

SP-Initiated SSO

The user tries to access an SP (e.g., Salesforce), which then redirects to the IdP for authentication.

SAML Assertion Structure

A SAML Assertion is an XML document that contains user authentication details.

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>https://idp.example.com</saml:Issuer>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@example.com</saml:NameID>
    </saml:Subject>
    <saml:Conditions NotBefore="2025-03-13T00:00:00Z" NotOnOrAfter="2025-03-13T01:00:00Z"/>
    <saml:AuthnStatement AuthnInstant="2025-03-13T00:10:00Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
</saml:Assertion>

Issuer: Identifies the IdP.
Subject: Contains user identity (email, username, etc.).
AuthnStatement: Indicates authentication time and method.
Conditions: Defines validity period.

SAML Integration with Spring Security

Spring Boot 2 vs Spring Boot 3 – SAML Authentication

Feature

Spring Boot 2

Spring Boot 3

SAML Support

Requires Spring Security Extensions

Native SAML2 support in spring-boot-starter-security

Security Configuration

Uses WebSecurityConfigurerAdapter

Uses SecurityFilterChain (Lambda DSL)

Metadata Management

More manual setup

Easier configuration via application.yml

1. Add Dependencies

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-saml2-service-provider</artifactId>
</dependency>

2. Configure SAML Authentication in Spring Boot

Define Security Configuration

@Configuration
public class SecurityConfig {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .anyRequest().authenticated()
            )
            .saml2Login(withDefaults()); // Enable SAML authentication

        return http.build();
    }
}

3. Configure SAML Identity Provider (IdP) Settings

spring:
  security:
    saml2:
      relyingparty:
        registration:
          my-app:
            identityprovider:
              entity-id: "https://idp.example.com"
              verification.credentials:
                - certificate-location: "classpath:idp-certificate.crt"
              single-sign-on-service-location: "https://idp.example.com/sso"

4. Handle SAML Authentication Response

@RestController
@RequestMapping("/auth")
public class SAMLController {

    @GetMapping("/user")
    public Authentication getUser(Authentication authentication) {
        return authentication;
    }
}

When to Use SAML?

SAML (Security Assertion Markup Language) is best suited for scenarios where Single Sign-On (SSO) is required across multiple web applications, especially in enterprise environments.

Use SAML When -

Enterprise SSO for Web Applications
- If we need a central authentication system where users log in once and access multiple web-based applications without logging in again.
- Example: Logging into Salesforce, Workday, or Google Workspace using your organization's credentials.
B2B & Corporate Authentication
- If our business requires federated authentication between different organizations (e.g., partners, suppliers).
- Example: A company allowing its employees to access a supplier’s portal using corporate credentials.
When Using Legacy Systems
- If our organization has older enterprise applications that already support SAML, it's easier to continue using it instead of migrating to a newer authentication standard.
Strict Security & Compliance Requirements
- SAML is widely used in industries with strict compliance regulations like finance, healthcare, and government.
- Example: HIPAA-compliant authentication for a healthcare system.
When we Need a Strong Identity Provider (IdP)
- If our organization has an Identity Provider (IdP) like Okta, Microsoft ADFS, or Azure AD, which manages authentication and issues SAML assertions to web applications.

Avoid SAML When -

For API Authentication: SAML is designed for web-based SSO, not securing APIs. Instead, use OAuth2 for API access.
For Mobile & Modern Apps: SAML uses XML-based messages, which are heavy and complex for mobile apps. Instead, use OpenID Connect (OIDC) for modern authentication.

SAML vs OAuth2 vs OpenID Connect

Feature

SAML (Security Assertion Markup Language)

OAuth2 (Open Authorization)

OpenID Connect (OIDC)

Purpose

Secure Single Sign-On (SSO) for web apps.

Secure API access (authorization).

Secure user authentication for web & mobile.

Best Used For

Enterprise SSO (e.g., logging into Salesforce, Google Workspace).

Granting third-party apps access to APIs (e.g., logging into Spotify with Google).

Modern authentication for web & mobile apps (e.g., "Sign in with Google").

Token Format

XML-based SAML Assertion.

JSON-based Access Token.

JSON-based ID Token (built on OAuth2).

Authentication?

Yes – Verifies user identity.

No – Only grants access to APIs.

Yes – Verifies user identity & provides profile info.

Authorization?

Yes – Grants access to web apps

Yes – Grants access to APIs.

Yes – Grants access to user profile & APIs.

Common Providers

Okta, ADFS, Azure AD, Google Workspace.

Google, Facebook, GitHub, Microsoft, Twitter.

Google, Microsoft, Facebook (OIDC built on OAuth2).

Ideal For

Large organizations & corporate SSO.

APIs, third-party integrations.

Modern web & mobile login (replaces SAML for new apps).

Complexity

Complex (XML-based, needs IdP & SP setup).

Simple for API access, but lacks authentication.

Simple (JSON-based, supports authentication).

PreviousMulti-Factor Authentication (MFA)NextX.509 Certificate Authentication

Last updated 1 month ago

Was this helpful?