How does SAML 2.0 work

Since SAML is an open standard, you do not face vendor locking when using it for SSO. Simply put, with SAML, a user can login to one system in an environment, and then will be able access to other systems in that environment without needing to login again (until the web browser session is ended).

User access the Service Provider with SAML secured application

1. The SP sends a request to a pre-registered IdP for authentication. ‘samlp’ is the SAML 2.0 protocol namespace, ‘urn:oasis:names:tc:SAML:2.0:protocol’
2. If user is not authenticated yet, IdP interacts with user to authenticate him/her
3. IdP sends a response to SP with the token for the user

So, let’s take a look at what happens when someone wants to log in at a Service Provider (SP) that uses federated authentication for one of its customers (the IDP). For the sake of example, let’s say the SP is Google Apps and the IDP is an organisation called My University, where Alice is a student. The flow of SAML protocol messages can be illustrated in a diagram as follows:

Ref:https://www.oasis-open.org/committees/download.php/27819/