SAML associates itself with the scenarios where an end user will be able to log into any of the applications with just one click.

Let me switch gears for a sec and before we move on let's get ourself used to a couple of terminologies.

Identity Provider [IDP] — It's an entity that provides the Identity for users. You can think of this as a Single source of truth for a user. Services will send requests to IDP and they will send response related to the identity of the user.

Service Provider [SP] — An entity to which access has to be given only if the user is Authorised (this is verified by sending a request to IDP).

BTW we can use Salesforce as Service Provider or Identity Provider.

Let me switch gears again and go back to SAML!

You will typically find this when you work in an organisation and when your workplace uses a lot of external websites. When you are employed you will be given an email-id and access to a dashboard with a whole bunch of buttons in it.

As a first step, user logs using their official email id to access the dashboard. They will get authenticated against an Identity Provider like Auth0.

Once the user is authenticated they will be able to access the dashboard. The Dashboard is going to have lot of buttons with each button associated to a service. On click of the button the user logs into that Service Provider.

Behind the scenes, SSO (Single Sign-On) via SAML will be implemented and that’s the reason just by a single click you will be able to login to the website.

Let's understand what happens on click of the button in detail.

Let's look at logging into Github(service provider) via Auth0(Identity Provider)

If I were to log into Github I will click on the button linked to Github on the dashboard. Github understands that the user is trying to login using SAML. Github sends the user back to Auth0 with a SAML request (which will be in XML format) that asks Auth0 to authenticate the user.

Sample Request (credits to Auth0)

Auth0 accepts the SAML request and authenticates the user. If the user in question is already authenticated via Auth0, this step will be skipped. Once the user gets authenticated, Auth0 generates a SAML response.

Sample Response (credits to Auth0)

Auth0 then returns the SAML response to the browser which in turn sends the SAML response to Github for verification

If it's verified, the user gets logged in to Github and granted access to the resources.

BTW we can use Salesforce as Service Provider or Identity Provider.