SAML

SAML 2.0 (Security Assertion Markup Language) is a security standard that's used to exchange authentication and authorization data over the internet. It helps users access multiple applications using a single account and without entering their username and password each time. This is called SSO (Single Sign-On).

SAML SSO is used to integrate access management systems (Active Directory, Azure Active Directory, Keycloak, Avanpost FAM) with web applications and services.

How does SAML 2.0–based SSO work

• All username and password information is stored by a trusted identity provider (IdP). Any access management system can act as an IdP. For example, Active Directory, Azure Active Directory, Keycloak, or Avanpost FAM.

• The second party in this process is the service provider (SP). For example, Yandex 360 for Business. At the moment of authorization, the SP sends the user to authenticate on the IdP server.

• The SP doesn't interact with the IdP directly — this process happens in the user's browser.

This solution is called identity federation.

The exchange of user information (usernames, authentication status, IDs, and other data) between the access management system and the SP occurs as follows:

1. The user opens the browser and goes to the SP's application.

2. The application responds with a SAML request, which the browser redirects to the access management system (IdP).

3. The IdP server processes the SAML request and prompts the user to authenticate. For example, by entering a username and password. If the user has already been authenticated, this and the following steps are skipped.

4. The user enters the necessary authentication details on the IdP server.

5. If the user is successfully authenticated, the access management system generates a SAML response and sends it through the user's browser to the SP's application for verification.

6. If the verification is successful, the web application grants access to the user.