Security Assertion Markup Language (SAML) is an XML-based framework allowing communication between a Service Provider (SP) and an Identity Provider (IdP) to facilitate authentication (identifies a user logging in) and authorization (confirms the logged-in user has access).

Using SAML provides:

  • Standardization with interoperability between systems, independent of implementation and removes common problems associated with vendor-and platform-specific architecture and implementation.
  • An improved experience that enables users to access multiple service providers with one sign-in, without additional authentication (faster with each service provider).
  • An authentication system that helps you ‌avoid password issues such as reset and recovery.
  • Increased security with a secure Identity Provider (IdP) is a single point of authentication. Credentials remain within the IdP’s firewall boundary.
  • Loose coupling of directories, which means user information doesn't have to synchronize between directories.

SAML enables you to control authentication such that Anaplan doesn't store the passwords of your users. 

In the SAML flow, Anaplan is ‌the service provider (SP) and your organization is the IdP. These steps assume  Anaplan is the SP that starts the SAML authentication, and that the end user selects the friendly URL that Anaplan provides. The friendly URL format has specific configuration requirements.

Anaplan implements the standard SAML 2.0 framework that supports:

  • Signed/unsigned AuthnRequests.
  • A digital signature on the SAML authentication response (AuthnResp) that's validated, with the message decrypted, if required.
  • SAML RSA keys with a minimum size of 2048 bits.
  • HTTP REDIRECT SAML binding profile for IdP assertions.
  • SP Initiated SAML using HTTP REDIRECT (GET).
  • Support for federation server vendors including Microsoft ADFS, Okta, and Ping Federate.

The SAML framework provides optional attributes. Minimally, the timestamp attributes are validated. If additional validations are required, you can work outside the standard SAML 2.0 framework.

Note that your users aren't required to be on your internal network. For an introduction to SAML, see http://wso2.com/library/articles/2014/02/introduction-to-security-assertion-markup-language-2.0
This web page has a diagram of the three-way relationship between the IDP, the SP, and the browser.