SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties, specifically between an identity provider (IdP) and a service provider (SP). SAML enables secure, seamless single sign-on (SSO) experiences, allowing users to log in once and access multiple applications without re-entering credentials.
The current version, SAML 2.0, has been the industry standard since 2005 and remains widely deployed in enterprise environments for managing access to web applications and cloud services.
How Does SAML Work?
SAML establishes trust relationships between identity providers and service providers, enabling secure authentication flows without transmitting passwords.
Key Components
Identity Provider (IdP) - The system that authenticates users and creates SAML assertions (e.g., Okta, Azure AD, Google Workspace)
Service Provider (SP) - The application or service the user wants to access (e.g., Salesforce, AWS, Office 365)
SAML Assertion - An XML document containing authentication, authorization, and attribute information about the user
User/Principal - The person attempting to access a service
SAML Authentication Flow
- User requests access - User attempts to access a service provider application
- SP redirects to IdP - The service provider redirects the user to the identity provider for authentication
- User authenticates - User enters credentials (or is already logged in to the IdP)
- IdP creates assertion - After successful authentication, the IdP generates a SAML assertion
- Assertion sent to SP - The signed SAML assertion is sent to the service provider
- SP validates and grants access - The service provider validates the assertion and grants access
This entire process happens in seconds, providing a seamless user experience.
SAML and Single Sign-On (SSO)
An important use case that SAML addresses is web-browser single sign-on (SSO). SAML SSO allows users to log in once at the identity provider and gain access to multiple applications without needing to remember various usernames and passwords.
Benefits of SAML SSO
Improved User Experience - Users log in once and access all authorized applications seamlessly
Enhanced Security - Reduces password fatigue, minimizes credential reuse, and centralizes authentication controls
Reduced IT Burden - Fewer password reset requests and simplified user provisioning
Centralized Access Control - Manage user access from a single identity provider
Audit Trail - Centralized logging of authentication events for compliance
SAML vs. Other Authentication Standards
SAML vs. OAuth
SAML - Designed for authentication and single sign-on, exchanging identity information
OAuth 2.0 - Designed for authorization and delegated access, granting limited access to resources without sharing credentials
SAML vs. OpenID Connect
SAML - XML-based, primarily for enterprise SSO, mature standard from 2005
OpenID Connect (OIDC) - JSON-based, built on OAuth 2.0, modern alternative favored for mobile and API-centric applications
SAML vs. Kerberos
SAML - Web-based authentication standard using HTTP redirects
Kerberos - Network authentication protocol using tickets, primarily for on-premises environments
SAML Assertion Types
SAML defines three types of assertions:
Authentication Assertion
Proves the user has been authenticated and specifies when and how authentication occurred.
Authorization Assertion
Indicates whether the user is authorized to access a specific resource.
Attribute Assertion
Contains specific information about the user (email, department, role, etc.) that the service provider can use for personalization or access decisions.
SAML Use Cases
Enterprise SSO
The primary use case - enabling employees to access multiple internal and cloud applications with a single login.
B2B Partner Access
Allowing external partners or contractors to access your applications using their own organization's credentials.
Federated Identity
Creating identity federation across organizational boundaries without duplicating user accounts.
Cloud Application Access
Accessing SaaS applications (Salesforce, Workday, Box) through enterprise identity providers.
Compliance and Audit
Meeting regulatory requirements for centralized authentication and audit trails.
Technical Details
XML Structure
SAML uses Extensible Markup Language (XML) to standardize communications between systems. A SAML assertion is an XML document that contains:
- Issuer information
- Subject (user) information
- Conditions (time validity, audience restrictions)
- Authentication context
- Attribute statements
- Digital signature for integrity
Security Features
Digital Signatures - Assertions are digitally signed to prevent tampering
Encryption - Sensitive assertion data can be encrypted
Time-Based Validity - Assertions expire after a specified time
Audience Restrictions - Assertions are valid only for specific service providers
Benefits of SAML
Standardization - Open standard supported by major identity and service providers
Security - Credentials never pass through service providers; centralized authentication control
User Convenience - Single login for multiple applications
Reduced Password Risk - Fewer passwords to manage and remember
Cross-Domain SSO - Works across different domains and organizations (Multi-Domain SSO or MDSSO)
Platform Independence - Works across different platforms and technologies
Mature Ecosystem - Extensive vendor support and implementation experience
Challenges and Limitations
Complexity - SAML can be complex to configure and troubleshoot
XML Overhead - XML payloads are larger than JSON alternatives
Mobile/API Support - Less suited for modern mobile apps and API authentication compared to OAuth/OIDC
Certificate Management - Requires managing X.509 certificates and key rotation
User Experience on Failure - Error messages can be cryptic for end users
SAML in 2025
Despite newer alternatives like OpenID Connect, SAML remains prevalent in enterprise environments:
Current Status
- Still the dominant enterprise SSO standard
- Widely supported by enterprise applications and identity providers
- Referenced in 2025 security documentation and threat landscape reports
- Continuously updated with security best practices
When to Use SAML
Enterprise environments - Well-established in enterprise SSO implementations
Legacy applications - Many existing applications support SAML but not newer standards
Compliance requirements - When regulations require specific authentication standards
Cross-organizational federation - For B2B scenarios requiring identity federation
When to Consider Alternatives
Mobile applications - OpenID Connect is better suited for mobile
API authentication - OAuth 2.0 is designed for API access delegation
Modern microservices - OIDC integrates better with cloud-native architectures
Developer experience - JSON-based standards are easier to work with than XML
Common SAML Identity Providers
- Microsoft Entra ID (formerly Azure AD)
- Okta
- OneLogin
- Ping Identity
- Google Workspace
- AWS IAM Identity Center
- Auth0
- JumpCloud
Common SAML Service Providers
- Salesforce
- AWS
- Office 365 / Microsoft 365
- Google Workspace
- Dropbox
- Zoom
- Slack
- Atlassian (Jira, Confluence)
Frequently Asked Questions (FAQ)
What does SAML stand for?
SAML stands for Security Assertion Markup Language, an XML-based standard for exchanging authentication and authorization data between identity providers and service providers.
How is SAML different from SSO?
SAML is a protocol/standard that enables SSO (Single Sign-On). SSO is the capability that allows users to log in once and access multiple applications, while SAML is one of the technical methods to implement SSO.
Is SAML secure?
Yes, when properly implemented, SAML is secure. It uses digital signatures to prevent tampering, doesn't transmit passwords to service providers, and supports encryption for sensitive data. However, like any security system, it must be configured correctly.
What version of SAML should I use?
SAML 2.0 is the current standard and should be used for all new implementations. Earlier versions (SAML 1.0, 1.1) are deprecated.
Can SAML work with mobile applications?
While SAML can work with mobile apps, it's not ideal for mobile environments. OpenID Connect (OIDC) is generally recommended for mobile applications due to its JSON-based, mobile-friendly design.
What is a SAML assertion?
A SAML assertion is an XML document created by the identity provider that contains authentication and authorization information about the user. It's digitally signed and sent to the service provider to grant access.
How long is a SAML assertion valid?
SAML assertions include validity periods specified by the identity provider, typically ranging from a few minutes to several hours. The service provider checks these timestamps to ensure the assertion hasn't expired.
What is the difference between IdP-initiated and SP-initiated SAML?
SP-initiated: User starts at the service provider, which redirects to the IdP for authentication (most common)
IdP-initiated: User starts at the identity provider and selects which service to access
Can I use SAML for API authentication?
While technically possible, SAML is not well-suited for API authentication. OAuth 2.0 is the recommended standard for API authentication and authorization.
Is SAML being replaced by OpenID Connect?
Not entirely. While OpenID Connect is growing in popularity, especially for mobile and modern cloud applications, SAML remains the dominant standard in enterprise environments and continues to be actively used and supported.
Do users need to install anything to use SAML?
No, SAML works through standard web browsers without requiring any special software or plugins on the user's device.
