Security Assertion Markup Language (SAML) is an open standard that allows secure exchange of authentication and authorization data between parties—primarily between an identity provider (IdP) and a service provider (SP).
In simple terms, SAML enables Single Sign-On (SSO). That means users can log in once (to the identity provider) and then gain access to multiple systems or applications (the service providers) without logging in again.
🔧 How SAML Works
The SAML process typically involves three main components:
- User (Principal): The person who needs access to a service.
- Identity Provider (IdP): The system that verifies the user’s identity (e.g., Okta, Azure AD).
- Service Provider (SP): The application or website the user wants to access (e.g., Salesforce, Google Workspace).
🔁 A Basic SAML Flow:
- The user tries to access a protected resource on the service provider.
- The service provider redirects the user to the identity provider for authentication.
- The identity provider verifies the user and sends back a SAML assertion (an XML-based message) to the service provider.
- The service provider grants access based on the SAML assertion.
📦 What is a SAML Assertion?
A SAML assertion is a secure, digitally signed XML document that contains the user’s identity and authorization info. It typically includes:
- Authentication statement: Confirms the user’s identity.
- Attribute statement: Provides user details like email or role.
- Authorization decision statement: (optional) What the user is allowed to do.
✅ Why SAML Matters
- 🔐 Security: Credentials are only entered at the identity provider. The SP never sees your password.
- ⚙️ Efficiency: Users log in once and get access to many apps.
- 📊 Compliance: Helps organizations meet access control and audit requirements.
- 🌐 Interoperability: It’s a widely supported standard across enterprise systems.
🚫 SAML vs Other Protocols
| Feature | SAML | OAuth 2.0 / OIDC |
|---|---|---|
| Use Case | Enterprise SSO (B2B) | Web/mobile auth (B2C) |
| Token Format | XML (assertion) | JSON (JWT) |
| Flow Type | Browser-based | API/token-based |
| Common With | Okta, Azure AD, Google SSO | Google, Facebook, APIs |
🧠 Final Thoughts
SAML remains a cornerstone of enterprise identity federation and secure Single Sign-On. While newer protocols like OpenID Connect and OAuth 2.0 are popular in modern web and mobile apps, SAML is still widely used in government, education, and enterprise environments.
If you’re managing identity and access in your org, understanding SAML is essential. It bridges security, usability, and scalability—making it a key part of any IAM strategy.