SAML, SOAP and API's... the big picture?

I need a better understanding of the relationship between SAML and API integrations.

Our company has two major needs :

(1) single sign-on (user 'Bob' will login into '' and then click a link to automatically enter our site without login again)
(2) transfer of information - one of our tools will send an XML string to company X, they will run a program and return an XML string to us with additional information.   Currently this is done through a web service (API).   Not sure how to better secure this? Does SAML come into play here?

I see how SAML will be used for (1) the single sign-on.   But is SAML used for, or needed for an API when passing XML strings?   We currently use SOAP or just XML.  

Please let me understand how SAML, SOAP and web services all play together.
If I were to approach a new company with the idea of creating a web service to communicate, would they ask me to use SAML?
LVL 39
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The general idea is that you usually want your API requests to have some kind of authentication so that your API cannot be abused by just anyone who knows it's there.

So you can send along credentials (username / password) in your SOAP request but that means hardcoding those credentials somewhere and maintaining them. Plus, if the credentials leak somehow, then anyone who knows them can make calls to the API using them.

SAML improves upon this by allowing the script to pass in a valid session token for authentication. The token can be acquired in various ways - it's sort of up to you to decide that part. One indirect example is passing the token from a regular user session - the user logs into some system using SAML and that system issues them a session ID. Then the session ID is passed into the code that is making the requests to the API. So the code isn't using a fixed set of credentials anymore but rather a generated token (session ID) that is tied to an active, logged-in user.

Another more direct example would be having the script contact the idp directly, get an assertion for the API, then the API returns a session token that can be used for further calls.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gdemariaAuthor Commented:
Thank you!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.