SAML stands for The Security Assertion Markup Language standard. It's an open standard that allows users to log into applications once and stay logged in another context. It allows user credentials to be securely shared by multiple web applications on the Internet. In an enterprise's Active Directory or intranet, SAML enables the enterprise's applications to use that information to log users into other web-based applications.
The SAML SSO login standard is superior to logging in users using simple username/password combination since it:
SAML is powerful, but the OASIS implementation documentation is lengthy and it may take months to implement it in an application from the scratch that successfully covers all cases. You can use the Ultimate SAML library for ASP.NET, MVC, and Core to simplify the implementation. It has been used by thousands of developers.
There are mainly two types of providers defined in SAML specification:
It's a system that stores and manages user information. In SAML, IdP also provides authentication services to the relying service providers. An example of an IdP is an ADFS configured to be an Identity Provider in the ACS.
A Service Provider is a relying party that consumes the authentication SAML assertions from an IdP. A user is required to log in at an IdP first before he/she can access the resources on the relying SP sites.
An assertion is a package of data that consists of authentication, attributes, and authorization decision information. It's sent back from an IdP to an SP when a user is successfully logged in at the IdP. It might be encrypted with a private key that only the parties with the corresponding public key can decrypt it.
There are several types of SAML applications and their flows are different:
It's an open source SSO package developed using C++ and Java. It is now maintained by Internet2 (http://shibboleth.internet2.edu/). A website using Shibboleth is, in fact, an SP-initiated application with similar SAML flow as described in the above section.