Overview of SAML


Security Assertion Markup Language (SAML) is a mechanism used for communicating identities between two web applications. It enables web-based Single-Sign-On and hence eliminates the need for maintaining various credentials for various applications and reduces identity theft.

How does SAML SSO in Freshworks work?

  1. User wants to login to Freshworks using SAML SSO.

  2. Freshworks redirects the user to the login URL the Identity Provider, for example, OneLogin, provides. 

  3. User enters their credentials and OneLogin validates the user. 

  4. OneLogin redirects the user to Freshworks’ Consumer Assertion URL and passes an SAML Assertion telling Freshworks that the user is valid.

  5. User Attributes like Email address, First name and Last name of the user will be sent along with the Assertion by OneLogin to Freshworks. 

  6. Freshworks verifies OneLogin’s SHA-256 certificate and grants the user access. 


The address of the user is the only required field that Freshworks needs. Here is a sample code of how the email address is passed:


  <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">example@test.awesomecompany.com</saml:NameID>

SAML usually involves three things:


A user

The person requesting the service.

A service provider

The application providing the service or protecting the resource.

An identity provider

The service/ repository that manages the user information.

A user requests for a SAML SSO to access a resource that is protected by a service provider. The service provider requests the identity provider to authenticate the user. The identity provider checks the existence of the user and sends back an assertion to the service provider that may or may not include the user information. The communication between the identity and service providers happens in the SAML data format. 


You can configure Freshworks to act as a service provider in this mechanism. You can use your own SAML server to act as an Identity provider or you could use some third party applications like OneLogin, Okta etc.


Fields required by your Identity Provider


The identity provider requires a Consumer Assertion URL to which it redirects the user after the authentication. Freshworks team will provide a custom assertion URL for your account and you can use this URL to configure SAML in your Identity Provider.

When the user requests for SAML SSO by arriving at the Freshworks URL, the XML Assertion will be sent to this URL.