[role="xpack"]
[[saml-realm]]
=== SAML authentication
The {stack} {security-features} support user authentication using SAML
single sign-on (SSO). The {security-features} provide this support using the Web
Browser SSO profile of the SAML 2.0 protocol.

This protocol is specifically designed to support authentication via an
interactive web browser, so it does not operate as a standard authentication
realm. Instead, there are {kib} and {es} {security-features} that work
together to enable interactive SAML sessions.

This means that the SAML realm is not suitable for use by standard REST clients.
If you configure a SAML realm for use in {kib}, you should also configure
another realm, such as the <<native-realm, native realm>> in your authentication
chain.

In order to simplify the process of configuring SAML authentication within the
Elastic Stack, there is a step-by-step guide to
<<saml-guide, Configuring Elasticsearch and Kibana to use SAML single sign-on>>.

The remainder of this document will describe {es} specific configuration options
for SAML realms.

[[saml-settings]]
==== SAML realm settings

See {ref}/security-settings.html#ref-saml-settings[SAML realm settings]. 

==== SAML realm signing settings

See {ref}/security-settings.html#ref-saml-signing-settings[SAML realm signing settings]. 

==== SAML realm encryption settings

See {ref}/security-settings.html#ref-saml-encryption-settings[SAML realm encryption settings]. 

==== SAML realm SSL settings

See {ref}/security-settings.html#ref-saml-ssl-settings[SAML realm SSL settings].