Powered by Zoomin Software. For more details please contactZoomin

Secure MarkLogic Server

Table of Contents

SAML-Based Authentication and Authorization

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 20, 2026
  • 2 minute read
    • MarkLogic Server
    • Version 12.0
    • Documentation

SAML is an open standard for providing both authentication and authorization data between two parties: the Identity Provider (IDP) and the Service Provider (SP).

The flow is shown in this diagram, where the Identity Provider is the SAML external agent, and the Service Provider is a MarkLogic Server app server:

Flow diagram for SAML-based authentication and authorization

  1. The client sends the user’s resource request to the Service Provider (MarkLogic Server).

  2. The Service Provider sends a redirect that includes a SAML request to the Identity Provider: the SAML vendor acting as the external agent.

  3. The Identity Provider sends a request for user credentials to the client.

  4. The client sends the user credentials to the Identity Provider.

  5. The Identify Provider authenticates the user.

  6. The Identity Provider sends a SAML Response to the Service Provider.

  7. The Service Provider validates the SAML Response.

  8. The Service Provider sends the user’s requested resources to the client.

Authentication occurs when the Identity Provider authenticates the user credentials that the client sends.

Authorization occurs when the Service Provider validates the SAML Response.

For both SAML authentication and authorization, MarkLogic Server uses SAML Assertion.

This assertion contains multiple Attribute elements including one called Name. Each Name attribute has a single child, AttributeValue:

  <saml:AttributeStatement>
    <saml:Attribute Name="group" ...>
      <saml:AttributeValue ...>dh-admin</saml:AttributeValue>
    </saml:Attribute>
    ...
  </saml:AttributeStatement>

Mapping this assertion to MarkLogic Server follows this basic outline:

  • When you log in to your external agent, you can see what user information can be included as part of the SAML response: roles, user groups, directories, and so on. Take note of the saml:AttributeStatement element as part of the SAML response.

  • Then, during MarkLogic Server external security configuration, use the appropriate saml:Attribute for your authorization requirements. Use the Name element attribute for SAML Attribute Name in your external security object and the corresponding saml:AttributeValue as External Name for your MarkLogic Server user or role.

MarkLogic Server supports configuring SAML through the external agents listed in this section.

Note:

You can also attempt to configure through unsupported external agents. All fields needed to configure external security are explained in these sections:

TitleResults for “How to create a CRG?”Also Available inAlert