Security Assertion Markup Language 2.0 for federated identity and SSO
Service Provider initiated Single Sign-On using the SAML 2.0 Web Browser SSO Profile (saml-profiles ยง4.1). The SP detects an unauthenticated user, generates an AuthnRequest, and redirects the user to the IdP for authentication. After successful authentication, the IdP returns a signed SAML Response containing an Assertion with the user's identity. This is the most common SAML SSO flow in enterprise environments.
Identity Provider initiated Single Sign-On where the IdP sends an unsolicited SAML Response to the SP without a preceding AuthnRequest (saml-profiles ยง4.1.5). The user starts at the IdP portal and selects an application to access. This flow has inherently weaker security properties than SP-initiated SSO because the SP cannot correlate the response to an original request, making replay and CSRF attacks harder to detect.
SAML 2.0 Single Logout Profile terminates sessions across all federated participants - the IdP and every SP with an active session for the user (saml-profiles ยง4.4). When a user logs out at one participant, LogoutRequest messages are propagated to all other participants to ensure global session termination. SLO uses either front-channel (HTTP-Redirect/POST via browser) or back-channel (SOAP direct communication) bindings.
SAML 2.0 Metadata enables automated trust establishment between Identity Providers and Service Providers (SAML Metadata ยง2). Each party publishes an XML EntityDescriptor document describing their endpoints, supported bindings, certificates, and capabilities. This eliminates manual configuration and enables dynamic federation.
SP-Initiated SSO
IdP-Initiated SSO
Single Logout (SLO)