See saml Menu

Overview of SAML

OneLogin has implemented and open-sourced SAML toolkits for five web development platforms:

Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions in another context. This single sign-on (SSO) login standard has significant advantages over logging in using a username/password:

  • No need to type in credentials

  • No need to remember and renew passwords

  • No weak passwords

Most organizations already know the identity of users because they are logged in to their Active Directory domain or intranet. It makes sense to use this information to log users in to other applications, such as web-based applications, and one of the more elegant ways of doing this is by using SAML.

SAML is very powerful and flexible, but the specification can be quite a handful. OneLogin’s open-source SAML toolkits can help you integrate SAML in hours, instead of months. We’ve come up with a simple setup that will work for most applications.

How SAML Works

SAML SSO works by transferring the user’s identity from one place (the identity provider) to another (the service provider). This is done through an exchange of digitally signed XML documents.

Consider the following scenario: A user is logged into a system that acts as an identity provider. The user wants to log in to a remote application, such as a support or accounting application (the service provider). The following happens:

  1. The user accesses the remote application using a link on an intranet, a bookmark, or similar and the application loads.

  2. The application identifies the user’s origin (by application subdomain, user IP address, or similar) and redirects the user back to the identity provider, asking for authentication. This is the authentication request.

  3. The user either has an existing active browser session with the identity provider or establishes one by logging into the identity provider.

  4. The identity provider builds the authentication response in the form of an XML-document containing the user’s username or email address, signs it using an X.509 certificate, and posts this information to the service provider.

  5. The service provider, which already knows the identity provider and has a certificate fingerprint, retrieves the authentication response and validates it using the certificate fingerprint.

  6. The identity of the user is established and the user is provided with app access.


The diagram below illustrates the single sign-on flow for service provider-initiated SSO, i.e. when an application triggers SSO.

Diagram of SAML SSO flow

Identity provider-initiated SSO is similar and consists of only the bottom half of the flow.

Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.

StackOverflow discussions about "onelogin saml"

  • 131

    A: SAML/ADFS node.js implementation guide?

    Answered Apr 27 2016

    I recently went through the same thought process: having never heard of SAML, I needed to enable a web application to authenticate via SAML with OneLogin as the identity provider (instead of Active … realize was that the confusion was three-fold: (1) how SAML works, (2) how the passport-saml library works in Node, and (3) how to configure the identity provider (OneLogin, Active Directory, or …

  • 59

    Q: CAS vs. SAML vs. OAuth2

    Asked Mar 14 2015 CASino and And I am sure there are hundreds of OAuth related gems. I just want a separate Rails … about doing this, I read about CAS, SAML and OAuth2. (I know that the "Auth" in OAuth stands for authorization, and not authentication, but I read enough articles saying how OAuth can be used for …

  • 19

    A: SAML 2.0 SSO for Ruby on Rails?

    Answered Nov 20 2010

    I played with this one once: It might be what you're looking for. …

  • 14

    A: Python library for implementing SAML2 based service provider and identity provider?

    Answered Oct 06 2014

    You can also take a look on Is also open source and the toolkit contains 2 demos: A django application and a Flask application. Right now only works on … Python 2.X Edited 13/05/2015: There is a python 3.X version (beta, I'm still testing it): (thanks bgaifullin for contributing it) Edited 13/04/2016: Python 3.X version is stable and tested. …

  • 11

    A: Python SSO: pysaml2 and python3-saml

    Answered Nov 16 2016

    Both projects are compatible with Shibboleth. pysaml2 is older than python3-saml, right now both support py2 and py3. Both are kinda active and documented. python3-saml follows the structure of … Onelogin's SAML toolkit so if you used any other toolkit before (php-saml, ruby-saml, java-saml), will be easy for you to handle with it (similar methods, same settings). Differences Crypto: pysaml2 …