How is SAML solving the cross domain single sign-on problem?

  • Let's say I have two websites that live on separate domains, and their service providers both talk to the same identity provider on a third domain. I log into the first website and authenticate, and now I decide to visit the second website. The second website comunicates with the identity provider so I don't need to log in again to access my account. How is this achieved using SAML? Is it possible to use cookies in this case?

  • Xander

    Xander Correct answer

    8 years ago

    It actually can be a cookie, because it needn't be associated with the service provider at all, only the identity provider. All either of the two service providers are going to do is make the authentication request to the identity provider, so the process for an unauthenticated user is going to be the same for as it is for

    However, when the first request is made from and the user is redirected to, the user will login to and can then set a cookie for

    Then, when the user visits, it too will redirect the unauthenticated user to, but this time, the browser will have a cookie to send along with the request from the last time the user visited, even though that visit was initiated by a different service provider.

    Thus, the cookie from can identify the user as already authenticated, and the identity provider can continue the process of issuing an assertion for the user to without requiring the user to complete the login workflow again.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM