# SAML basics Security Assertion Markup Language (SAML) is a standard for exchanging authentication information between identity and service providers. SAML authentication is a single sign-on mechanism where a centralized identity provider (IdP) performs user authentication, while the service provider (SP) only makes access control decisions based on the results of authentication. The main benefits of using SAML authentication are as follows: * Service providers don't need to maintain their own user databases. User information is stored in a centralized database on the identity provider side. If a user has to be added or removed, it only needs to be done in a single database. * Service providers don't need to validate users themselves, so there's no need for a secure authentication and authorization implementation on the provider's side. * Single sign-on means that a user has to log in once. All subsequent sign-ons (when a user launches a different application) are automatic. * Users don't have to type in credentials when signing in. * Users don't have to remember and renew passwords. * No weak passwords. **The single sign-on process** SAML single sign-on can be initiated on the service provider side or on the identity provider side. The two scenarios are outlined below. The SAML single sign-on process initiated on the service provider side consists of the following steps: 1. A user opens Parallels Client (one of the [supported versions)](https://docs.parallels.com/landing/ras-admin-guide/v19-en-us/parallels-ras-19-administrators-guide/saml-sso-authentication/system-requirements) and connects to the service provider. 2. The service provider sends a message to the identity provider, asking to authenticate the user. 3. The identity provider asks the user for a username and password. 4. If the user credentials are correct, an authentication response (assertion) is sent to the client and then passed to the service provider. The response contains a message that the user has logged in successfully; the identity provider signs the assertion. 5. The user is presented with the published applications list. When the user launches an application, there's no prompt for credentials. Single sign-on can also be initiated on the identity provider side, in which case the basic steps are the following: 1. A user logs in to identity provider via a web browser and is presented with a list of enterprise applications, including Parallels RAS. 2. Once Parallels RAS is selected, the assertion is sent to the client, then passed to the service provider configured for Parallels RAS. 3. Users are presented with the RAS published applications list. 4. When the user launches an application, there is no prompt for credentials. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.parallels.com/landing/ras-admin-guide/v19-en-us/parallels-ras-19-administrators-guide/saml-sso-authentication/saml-basics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.