Skip to content
Logo Theodo

Web Single Sign-On, the SAML 2.0 perspective

Guillaume Klaus6 min read

What could be more annoying than one login page? To have several of them!

More and more on the web, people are allowed to connect to services through their Google, Facebook or other accounts. The user can then seamlessly connect to a set of services without creating a multitude of accounts.

One of the projects I worked on consisted of redesigning our client’s intranet. With other applications already in production, the SSO (single sign-on) was already in place across the company. Creating our own sign-on system was not an option, for several reasons:

Without SSO situation

With SSO situation

Several protocols allow to implement a SSO system, but first of all it is good to distinguish two things: Authentication / Authorization.

Authentication is the process of certifying that users are who they claim to be, while Authorization is the process of determining what the user is allowed to do on the application, i.e. permissions.

To implement SSO, there are 3 main protocols:






How to choose?

Even though older, SAML is still used a lot in companies and more complicated to set up than OpenID. In the following, we will see how this protocol works and the necessary steps to implement it.

What are the common points between SSO protocols?

In most common SSO protocols, two types of entities are distinguished.

SSO can be done in two ways:

In the following, we will look in depth at the SP initiated case, the mechanisms being similar in both cases.

How does SAML work in practice?

Let’s start from a concrete case. Imagine an employee who wants to go to the intranet of her or his company.

  1. The user wants to go to the intranet of her or his company, which will be our service provider example (SP). In most cases, this operation results in a GET request from the user’s browser to the Service Provider. This request is sent with any cookies associated with this domain.
  2. The Service Provider (SP) receives the request.
    - If it contains cookies it checks if the information provided corresponds to an active session, if so the user is authenticated.
    - Otherwise, the Service Provider uses a configuration file: the IdP Metadata file. This XML file contains, for example, the endpoint of the SSO on the IdP side, the public certificates associated with it and other IdP properties.
  3. This information allows the creation of a SAML authentication request (AuthnRequest)
  4. Once created, this XML is url-encoded and returned to the user’s browser via a redirect request (302). This SAML request is added to the redirection URL, for example :
  5. The browser follows the redirection address (containing in addition the SAML url-encoded request) through a GET request to the endpoint of the SSO.
  6. The IdP receives the request, eventually sent with a cookie corresponding to the IdP domain.
    - If the information provided corresponds to an active session, the IdP returns a form containing the SAML Response to the user’s browser.
    - If no cookie is present or if no session is active for the user, the IdP returns an authentication page for the user to enter his credentials. At the end of this process, if the user is authenticated, a session cookie associated with the IdP is stored in the browser.
  7. The IdP generates an HTML form containing the SAMLResponse that it returns to the browser.
  8. The browser then makes a POST request containing this form to the service provider who reads the response and allows the connection based on the SAMLResponse.
  9. The user can access to its desired resource.

What do I need to set up SAML2 authentication?

    "entityid" : "",
    "service": {
        "idp": {
            "endpoints" : {
                "single_sign_on_service" : [
                "single_logout_service": [
    "key_file" : "my.key",
    "cert_file" : "ca.pem",

After entering this information in the module configuration file or directly in the metadata file if it already exists, the authentication will have the minimum amount of information necessary to work.

We’ve arrived at the end of this article. If you followed through, you should have a better understanding of the way SAML works.

If you have any feedback or ideas on how to improve this article let me know by leaving a comment!

Liked this article?