SAML SSO is a monster of a technology and difficult to understand in the beginning, but with all of the years I’ve been working with it for several years helping corporations I’ve managed to distill SAML SSO into very simple terms.
There’s two types of authentication flows with SAML SSO. One is called IdP-initiated SSO and SP-initiated SSO. In general how SAML SSO works is that there’s two parts: the part that stores the users and the part that has the resource you want to protect.
The part that stores the users is called the Identity Provider, or IdP. The part that has the resource you want to protect is called the Service Provider, or SP.
In the SP-initiated flow, the user will attempt to access to the web resource, say an application. When the user attempts to access the resource and they aren’t authenticated already, they will be redirected to the Identity Provider to authenticate. This Identity Provider could be a number of enterprise products like Google G Suite, Okta, Azure, or even your own custom IdP driven by your own database of users. Once they authenticate, they will be redirected back to the original resource they tried to access.
In the IdP-initiated flow, the user is first at the IdP. That’s the major difference, so for instance, they’ll be logged into Google G Suite and then they click on an icon to the app that they want to access. When they click on the app they will be “pre-authorized” per-se to the SP, so the SP acknowledges this and allows the user to log in.
I wrote a Stack Overflow answer to explain SP and IdP-initiated SSO. Here’s a very simple example to illustrate those flows:
SP Initiated SSO
Bill the user: “Hey Jimmy, show me that report”
Jimmy the SP: “Hey, I’m not sure who you are yet. We have a process here so you go get yourself verified with Bob the IdP first. I trust him.”
Bob the IdP: “I see Jimmy sent you here. Please give me your credentials.”
Bill the user: “Hi I’m Bill. Here are my credentials.”
Bob the IdP: “Hi Bill. Looks like you check out.”
Bob the IdP: “Hey Jimmy. This guy Bill checks out and here’s some additional information about him. You do whatever you want from here.”
Jimmy the SP: “Ok cool. Looks like Bill is also in our list of known guests. I’ll let Bill in.”
IdP Initiated SSO
Bill the user: “Hey Bob. I want to go to Jimmy’s place. Security is tight over there.”
Bob the IdP: “Hey Jimmy. I trust Bill. He checks out and here’s some additional information about him. You do whatever you want from here.”
Jimmy the SP: “Ok cool. Looks like Bill is also in our list of known guests. I’ll let Bill in.”
So all SAML SSO is a trusted conversation between the SP and IdP.
I hope this simplifies your understanding of SAML SSO. If your organization needs help implementing SAML SSO reach out to me.