> For the complete documentation index, see [llms.txt](https://www.pranaypourkar.co.in/the-programmers-guide/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.pranaypourkar.co.in/the-programmers-guide/spring/spring-features/spring-security/authentication/authentication-mechanism/saml-authentication.md). # SAML Authentication ## About Security Assertion Markup Language (**SAML**) is an **XML-based** open standard for **single sign-on (SSO)** authentication. It enables secure authentication across multiple applications without requiring users to enter credentials multiple times. SAML is widely used in **enterprise environments** for federated identity management and works with **Identity Providers (IdP)** and **Service Providers (SP)** to facilitate authentication. ## **How SAML Authentication Works** 1. **User Requests Access** * The user attempts to access a **Service Provider (SP)** (e.g., a SaaS application like Salesforce). 2. **SP Redirects to IdP** * The SP **redirects the user** to the **Identity Provider (IdP)** for authentication. 3. **User Authenticates with IdP** * The user logs in to the **IdP** (e.g., Active Directory, Okta, Azure AD). 4. **IdP Generates SAML Assertion** * The IdP verifies credentials and creates a **SAML assertion** (a signed XML document). 5. **IdP Sends SAML Assertion to SP** * The IdP **redirects the user back to the SP**, passing the **SAML assertion**. 6. **SP Validates SAML Assertion** * The SP verifies the signature and **grants access** to the user. **Result:** The user is authenticated without needing to re-enter credentials. ## **Components of SAML**
ComponentDescriptionExamples
Identity Provider (IdP)Authenticates the user and issues SAML Assertions.Okta, Azure AD, Google Workspace, ADFS
Service Provider (SP)The application that requests authentication from IdP.Salesforce, AWS, Office 365
SAML AssertionThe XML-based authentication response sent from IdP to SP.Contains user details & authentication status.
SAML RequestThe authentication request from SP to IdP.Initiates SSO authentication.
SAML ResponseThe authentication response from IdP to SP.Contains the SAML assertion.
## **Types of SAML SSO Flows**
TypeDescription
IdP-Initiated SSOThe user logs in at the IdP (e.g., Okta) and is redirected to SP after authentication.
SP-Initiated SSOThe user tries to access an SP (e.g., Salesforce), which then redirects to the IdP for authentication.
## **SAML Assertion Structure** A **SAML Assertion** is an **XML document** that contains user authentication details. ```xml https://idp.example.com user@example.com urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport ``` * **Issuer:** Identifies the IdP. * **Subject:** Contains user identity (email, username, etc.). * **AuthnStatement:** Indicates authentication time and method. * **Conditions:** Defines validity period. ## **SAML Integration with Spring Security** ### **Spring Boot 2 vs Spring Boot 3 – SAML Authentication**
FeatureSpring Boot 2Spring Boot 3
SAML SupportRequires Spring Security ExtensionsNative SAML2 support in spring-boot-starter-security
Security ConfigurationUses WebSecurityConfigurerAdapterUses SecurityFilterChain (Lambda DSL)
Metadata ManagementMore manual setupEasier configuration via application.yml
### **1. Add Dependencies** ```xml org.springframework.boot spring-boot-starter-security org.springframework.security spring-security-saml2-service-provider ``` ### **2. Configure SAML Authentication in Spring Boot** **Define Security Configuration** ```java @Configuration public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests(auth -> auth .anyRequest().authenticated() ) .saml2Login(withDefaults()); // Enable SAML authentication return http.build(); } } ``` ### **3. Configure SAML Identity Provider (IdP) Settings** ```yaml spring: security: saml2: relyingparty: registration: my-app: identityprovider: entity-id: "https://idp.example.com" verification.credentials: - certificate-location: "classpath:idp-certificate.crt" single-sign-on-service-location: "https://idp.example.com/sso" ``` ### **4. Handle SAML Authentication Response** ```java @RestController @RequestMapping("/auth") public class SAMLController { @GetMapping("/user") public Authentication getUser(Authentication authentication) { return authentication; } } ``` ## **When to Use SAML?** SAML (Security Assertion Markup Language) is best suited for scenarios where **Single Sign-On (SSO)** is required across multiple web applications, especially in **enterprise environments**. ### **Use SAML When -** 1. **Enterprise SSO for Web Applications** * If we need a **central authentication system** where users log in once and access multiple web-based applications without logging in again. * Example: Logging into **Salesforce, Workday, or Google Workspace** using your organization's credentials. 2. **B2B & Corporate Authentication** * If our business requires **federated authentication** between different organizations (e.g., partners, suppliers). * Example: A company allowing its employees to access a supplier’s portal using **corporate credentials**. 3. **When Using Legacy Systems** * If our organization has older enterprise applications that already **support SAML**, it's easier to continue using it instead of migrating to a newer authentication standard. 4. **Strict Security & Compliance Requirements** * SAML is widely used in industries with strict **compliance regulations** like finance, healthcare, and government. * Example: **HIPAA-compliant** authentication for a healthcare system. 5. **When we Need a Strong Identity Provider (IdP)** * If our organization has an **Identity Provider (IdP)** like **Okta, Microsoft ADFS, or Azure AD**, which manages authentication and **issues SAML assertions** to web applications. ### **Avoid SAML When -** * **For API Authentication:** SAML is designed for web-based SSO, not securing APIs. Instead, use **OAuth2** for API access. * **For Mobile & Modern Apps:** SAML uses **XML-based messages**, which are **heavy and complex** for mobile apps. Instead, use **OpenID Connect (OIDC)** for modern authentication. ## **SAML vs OAuth2 vs OpenID Connect**
FeatureSAML (Security Assertion Markup Language)OAuth2 (Open Authorization)OpenID Connect (OIDC)
PurposeSecure Single Sign-On (SSO) for web apps.Secure API access (authorization).Secure user authentication for web & mobile.
Best Used ForEnterprise SSO (e.g., logging into Salesforce, Google Workspace).Granting third-party apps access to APIs (e.g., logging into Spotify with Google).Modern authentication for web & mobile apps (e.g., "Sign in with Google").
Token FormatXML-based SAML Assertion.JSON-based Access Token.JSON-based ID Token (built on OAuth2).
Authentication?Yes – Verifies user identity.No – Only grants access to APIs.Yes – Verifies user identity & provides profile info.
Authorization?Yes – Grants access to web appsYes – Grants access to APIs.Yes – Grants access to user profile & APIs.
Common ProvidersOkta, ADFS, Azure AD, Google Workspace.Google, Facebook, GitHub, Microsoft, Twitter.Google, Microsoft, Facebook (OIDC built on OAuth2).
Ideal ForLarge organizations & corporate SSO.APIs, third-party integrations.Modern web & mobile login (replaces SAML for new apps).
ComplexityComplex (XML-based, needs IdP & SP setup).Simple for API access, but lacks authentication.Simple (JSON-based, supports authentication).
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.pranaypourkar.co.in/the-programmers-guide/spring/spring-features/spring-security/authentication/authentication-mechanism/saml-authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.