Introduction
SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties, specifically between an Identity Provider (IdP) and a Service Provider (SP). SAML uses XML-based messages to convey security assertions -- statements about a user's identity, attributes, and permissions -- enabling Single Sign-On (SSO) across different web applications and organizational boundaries.
Before SAML, users in enterprise environments had to maintain separate credentials for each application. An employee might need different usernames and passwords for email, HR systems, project management tools, and cloud applications. This created password fatigue, increased help desk calls, and multiplied the attack surface. SAML solves this by allowing users to authenticate once with their organization's Identity Provider and then access multiple Service Providers without re-entering credentials.
SAML is primarily used in enterprise and government environments for workforce identity. It is the dominant SSO protocol for applications like Salesforce, Workday, ServiceNow, AWS, Google Workspace, and thousands of other SaaS products. SAML 2.0, released in 2005, remains the current version and is supported by virtually every enterprise identity platform.
"SAML is the duct tape of enterprise identity. It is not elegant, but it works, it is everywhere, and it has been battle-tested for twenty years." -- Vittorio Bertocci, former Principal Architect at Auth0
History and Versions
SAML was developed by the OASIS (Organization for the Advancement of Structured Information Standards) Security Services Technical Committee. It was the first widely adopted standard for federated identity on the web.
| Version | Year | Key Features | Status |
|---|---|---|---|
| SAML 1.0 | 2002 | Basic assertions, browser/artifact profiles | Obsolete |
| SAML 1.1 | 2003 | Minor corrections and clarifications | Obsolete |
| SAML 2.0 | 2005 | Merged SAML 1.1, Shibboleth, and Liberty Alliance ID-FF; comprehensive SSO standard | Current standard |
SAML 2.0 was a major revision that unified three competing federation specifications: SAML 1.1, the Shibboleth project (from the academic/research community), and the Liberty Alliance ID-FF (from the telecommunications industry). This convergence established SAML 2.0 as the universal enterprise SSO standard.
Core Concepts
Identity Provider vs. Service Provider
SAML defines two primary roles in the authentication process:
| Role | Responsibility | Examples |
|---|---|---|
| Identity Provider (IdP) | Authenticates users and issues SAML assertions. Maintains the user directory and authentication mechanisms. | Okta, Azure AD (Entra ID), ADFS, OneLogin, Ping Identity, Shibboleth IdP |
| Service Provider (SP) | Provides the application or service. Relies on the IdP for authentication. Consumes SAML assertions. | Salesforce, AWS, Google Workspace, Workday, ServiceNow, custom web apps |
The IdP and SP establish a trust relationship before SSO can function. This involves exchanging SAML metadata -- XML documents containing each party's entity ID, endpoints, certificates, and supported bindings. The SP trusts the IdP to properly authenticate users, and the IdP trusts the SP to be a legitimate relying party.
SAML Assertions
A SAML assertion is an XML document issued by the IdP that contains statements about a subject (typically a user). There are three types of statements:
- Authentication Statement: Declares that the subject was authenticated by the IdP at a specific time using a specific method (e.g., password, multi-factor, certificate). This is the core of SSO.
- Attribute Statement: Provides attributes about the subject -- email address, name, group memberships, role, department, or any custom attribute the SP needs for authorization or personalization.
- Authorization Decision Statement: Declares whether the subject is permitted or denied access to a specific resource. Rarely used in practice; authorization is typically handled by the SP based on attributes.
Protocols and Bindings
SAML separates the logical protocol (what messages are exchanged) from the bindings (how messages are transported):
SAML Protocols define request-response message pairs:
- Authentication Request Protocol: SP requests the IdP to authenticate a user (AuthnRequest)
- Single Logout Protocol: Coordinated logout across all SPs
- Artifact Resolution Protocol: Resolve small tokens (artifacts) into full SAML messages
- Name Identifier Management Protocol: Change the identifier used for a user
SAML Bindings define transport mechanisms:
| Binding | Transport | Mechanism | Common Use |
|---|---|---|---|
| HTTP Redirect | Browser redirect | SAML message encoded in URL query string (deflate + base64) | AuthnRequest (small messages) |
| HTTP POST | Browser form post | SAML message in hidden form field (base64) | SAML Response/Assertion (large messages) |
| HTTP Artifact | Back-channel | Small reference token sent via browser; IdP/SP resolve it directly | When assertion must not pass through browser |
| SOAP | Back-channel | Direct SOAP call between IdP and SP | Artifact resolution, attribute queries |
SSO Authentication Flow
The most common SAML SSO flow is the SP-Initiated SSO with HTTP POST binding:
- The user attempts to access a protected resource on the Service Provider
- The SP determines the user is not authenticated and generates a SAML AuthnRequest
- The SP redirects the user's browser to the Identity Provider's SSO endpoint, carrying the AuthnRequest (typically via HTTP Redirect binding)
- The IdP receives the AuthnRequest and authenticates the user (login page, MFA, or existing session)
- The IdP constructs a SAML Response containing one or more assertions with authentication and attribute statements
- The IdP digitally signs the response and/or assertion using its private key
- The IdP sends the SAML Response to the user's browser via an auto-submitting HTML form (HTTP POST binding) targeting the SP's Assertion Consumer Service (ACS) URL
- The SP receives the response, validates the XML signature using the IdP's certificate, checks conditions (audience, timestam