What is SAML? A practical guide to the authentication protocol

Introduction

SAML (Security Assertion Markup Language) is an authentication protocol that facilitates single sign-on (SSO) between an identity provider and a service provider. This guide explains the process of setting up SAML between an application (Supabase) and its users (ACME Inc.), who use GSuite as their identity provider.

SAML Connection between Supabase and ACME's GSuite

To establish a SAML connection, Supabase and ACME's GSuite exchange information. Supabase needs an X.509 certificate from ACME's GSuite to identify SAML responses. It also requires a list of attributes that ACME's GSuite system will send, such as email, name, and groups. Both providers must exchange their SAML metadata, which contains essential information like X.509 certificates and URLs.

SAML Authorization Flow

The SAML authorization flow can be SP-initiated or IdP-initiated. In the SP-initiated flow, the user visits Supabase's website, enters their email, and signs in with SAML SSO. In the IdP-initiated flow, the user signs into GSuite first and selects Supabase from a list of allowed applications.

SAML Authentication with Supabase

Supabase allows easy enabling of SAML for projects and provides the signInWithSSO method to initiate the authentication flow. This integration with Postgres and row-level security (RLS) policies allows for fine-grained access control based on user identity.

Conclusion

This guide provided a comprehensive overview of SAML and its practical implementation in conjunction with row-level security. It covered the process of establishing a SAML connection, the SAML authorization flow, and integrating SAML authentication with Supabase.