Security Assertion Markup Language
SAML.
An XML-based open standard for exchanging authentication and authorization data between identity providers and service providers, dominant in enterprise SSO install base.
SAML predates OAuth and OIDC as an enterprise federation standard and remains the protocol most commonly named in B2B SaaS security questionnaires. Production B2B SaaS in 2026 supports both SAML and OIDC at the per-Organization level, letting customers configure their IdP using whichever protocol it is set up for.
Common questions
Is SAML still used in 2026?
Yes, heavily, in enterprise SSO. SAML 2.0 has been stable since 2005 and is entrenched in large organizations' identity providers, so any product selling upmarket still needs it. New consumer and developer-facing integrations lean toward OIDC, but SAML is not going away on the enterprise side.
What is the difference between SAML and OIDC?
Both federate authentication, but SAML is XML-based and built for browser-based enterprise SSO, while OIDC is JSON and REST based, built on OAuth 2.0 for web, mobile, and SPA flows. OIDC is simpler to implement and better for modern clients; SAML has the larger enterprise install base. Support both if you sell to enterprises.
Can a CIAM support both SAML and OIDC?
Yes, and a B2B CIAM should. Mature platforms let each customer organization configure its own connection, choosing SAML or OIDC based on what its identity provider supports, while your application code stays protocol-agnostic behind the CIAM.
Related terms
In the guides
B2B SaaS Identity: Organizations, SSO, SCIM, and the Enterprise Sales Checklist
How to design B2B SaaS identity: Organizations, Enterprise SSO with SAML and OIDC, SCIM provisioning, audit logs, and the IT-admin features that close enterprise deals.
Enterprise SSO: SAML vs OIDC, and How to Pick
SAML and OIDC are the two protocols that dominate enterprise SSO. A practical comparison, when each is the right answer, and the IdP-side considerations that determine the choice.