SAML Terminologies and Workflow

Security Assertion Markup Language (SAML) is an XML-based standard that allows you to exchange authentication data between one service and another. Zoho provides single sign-on for connected apps using SAML. Here, Zoho acts as the identity provider (IdP) and the application is the service provider (SP).

The developer must be familiar with the following terms before building an SAML-enabled connected app.

  • Service Provider(SP) - The system that provides the service to the user. In this case, the web application the user wants to connect Zoho CRM with acts as the SP.
  • Identity Provider(IdP) - The system that manages the identity information of the users, including user name, password and other crucial data. In this case, Zoho acts as the IdP
  • Entity ID - A unique ID that allows the SP and IdP can identify each other. 
    The Entity ID for Zoho CRM will be generated once you create the connected app. Provide this ID to the application you want to connect with Zoho CRM. 
    The Entity ID for the web app will be provided in the SAML documentation for that application.
  • ACS URL (Assertion Consumer Service URL) - The Identity Provider will send the SAML response to this URL. This  URL will be provided by the service provider.
  • Single Sign-on (SSO)- A session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple application.
  • Subject Type - Subject type indicates the value that the Service provider expects. E.g., user name, user ID, etc.
  • Name ID Format - The format in which the name ID must be specified. The name ID format you specify must be the same in both the IdP and SP.

 Workflow

  1. The user requests access to the service by selecting the Single Sign-on option.
  2. The Service Provider sends a SAML request to the Identity provider, using the Entity ID of the IdP. The SAML request is embedded in the HTTP code that redirects the user to the IdP.
  3. The IdP login screen appears and the user provides their login credentials for verification.
  4. Once the user is authenticated, the IdP sends SAML assertion using the ACS URL to the SP along with the details mentioned in the Subject type requested by the SP.
  5. After receiving these details, the SP provides access to the user.
  6. The user can now start accessing the resources.