SAML (Security Assertion Markup Language)
Definition
SAML (Security Assertion Markup Language) is an XML-based open standard for exchanging authentication and authorization data between parties — specifically between an identity provider (IdP) and a service provider (SP).
SAML is the foundation of Single Sign-On (SSO) for enterprise applications. When a user logs in to their corporate IdP, SAML tokens grant them access to multiple applications without re-authenticating.
SAML Flow (Browser SSO)
User → SP (e.g., Salesforce)
│
│ 1. User requests access
│
│ 2. SP → User: "Redirect to IdP for auth" (SAML AuthRequest)
│
User → IdP (e.g., Okta/Azure AD)
│
│ 3. User authenticates at IdP
│
│ 4. IdP → User: SAML Response (signed XML)
│
User → SP
│
│ 5. SP validates SAML signature, creates session
│
▼
User is logged in to SP (SSO complete)
SAML Components
| Component |
Description |
| IdP (Identity Provider) |
Authenticates users, issues SAML assertions (Okta, Azure AD, Keycloak) |
| SP (Service Provider) |
Application that trusts the IdP (Salesforce, Slack, Jira) |
| SAML Assertion |
XML document containing authentication/authorization claims |
| SAML Response |
Signed assertion sent from IdP to SP |
| SAML Request (AuthRequest) |
SP’s request for authentication |
| Metadata |
XML configuration describing IdP/SP endpoints and certificates |
| SSO URL |
IdP endpoint for authentication |
| ACS URL |
Assertion Consumer Service URL (where SP receives SAML Response) |
SAML Assertion Example (Simplified)
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://idp.example.com</saml2:Issuer>
<ds:Signature>...</ds:Signature>
<saml2:Subject>
<saml2:NameID>user@example.com</saml2:NameID>
</saml2:Subject>
<saml2:AuthnStatement>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="email">
<saml2:AttributeValue>user@example.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="role">
<saml2:AttributeValue>admin</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
SAML vs OAuth 2.0 vs OIDC
| Feature |
SAML |
OAuth 2.0 |
OIDC |
| Purpose |
Authentication |
Authorization |
Authentication |
| Format |
XML |
JWT |
JWT |
| SSO |
Yes |
No (by itself) |
Yes |
| Use case |
Enterprise SSO |
API access |
Modern web/mobile |
| Complexity |
High (XML, signatures) |
Moderate |
Moderate |
| Adoption |
Enterprise, legacy |
APIs, microservices |
Modern apps |
| Standard |
OASIS (2002) |
IETF (2012) |
OASIS (2014) |
SAML vs OIDC
| Aspect |
SAML |
OIDC |
| Protocol |
XML-based |
JSON-based (JWT) |
| Complexity |
High |
Low |
| Mobile support |
Poor |
Excellent |
| Enterprise |
Dominant |
Growing |
| Developer experience |
Difficult |
Easy |
| Backward compat |
Legacy apps |
Modern apps |
| IdP examples |
Okta, Azure AD, ADFS |
Okta, Auth0, Keycloak |
SAML in Infrastructure
| Component |
SAML Role |
| IdP |
Okta, Azure AD, Keycloak, OneLogin |
| SP |
Salesforce, Slack, Jira, GitHub Enterprise |
| SSO |
Single sign-on for enterprise apps |
| Federation |
Cross-organization identity sharing |
| MFA |
SAML assertions include MFA status |
SAML Limitations
- XML complexity: Hard to implement correctly
- Browser-dependent: Relies on HTTP redirects and form POSTs
- No mobile support: Designed for web browsers
- Certificate management: SP/IdP certificate rotation is manual
- Debugging: Difficult to troubleshoot SAML errors
- Not for APIs: Use OAuth 2.0/OIDC for API access
- OAuth — OAuth handles authorization; SAML handles authentication
- OIDC — OpenID Connect is the modern replacement for SAML
- SSO — SAML is the primary SSO protocol for enterprises
- Pki — SAML is part of identity and access management
- MFA — SAML can assert MFA was completed
References
