How SAML Works
SAML relies on three core actors: the Identity Provider (IdP), the Service Provider (SP), and the user. The IdP, often Microsoft Entra ID, authenticates the user and creates a signed SAML assertion containing user attributes. This assertion is then sent to the SP, which is the SaaS application like Salesforce or Workday. The SP trusts the IdP and validates the assertion, granting the user access without requiring them to re-enter credentials. Two common flows are IdP-initiated (user starts at the IdP) and SP-initiated (user starts at the SP).
SAML vs OIDC in Australian Tenants
While both SAML and OpenID Connect (OIDC) enable SSO, OIDC is generally preferred for modern applications and mobile devices due to its RESTful API and improved security features. SAML remains prevalent in legacy SaaS applications. When considering compliance obligations like APRA CPS 234, which mandates robust access controls, a layered approach using both SAML for older systems and OIDC for newer ones may be necessary. Organisations should also consider the Australian Voluntary AI Safety Standard's emphasis on secure data access when choosing an SSO protocol.