Skip to content

Identity term · last reviewed 2026-07-07

SAML

Also known as: Security Assertion Markup Language, SAML 2.0

SAML (Security Assertion Markup Language) is an XML-based standard for exchanging signed authentication and authorization data between an identity provider and a service provider, and it is the incumbent protocol for enterprise single sign-on.

How it works

SAML (Security Assertion Markup Language) 2.0 is an XML-based standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). The IdP authenticates the user and issues a digitally signed XML document called an assertion; the SP validates the signature against pre-exchanged metadata and starts a session. The common web pattern is the SP-initiated flow with HTTP POST binding: the app redirects to the IdP, the IdP posts a signed assertion back to the app's Assertion Consumer Service (ACS) URL. It was ratified by OASIS in 2005.

When it matters

SAML matters the moment you sell to enterprises. Corporate IT already runs SAML through providers like Okta, Microsoft Entra ID, and Ping, so a B2B security review will ask whether you support it by name. It remains the default for workforce single sign-on into SaaS applications, even though OIDC is the more modern protocol. If you are adding enterprise SSO, support SAML first. See Add SSO to Your B2B SaaS.

Common misconceptions

  • "SAML is obsolete." It is verbose and dated, but it dominates enterprise IT and is not going away. The risk is in implementation, not the standard.
  • "SAML and OAuth do the same thing." No. SAML is federation (authentication plus attributes); OAuth is delegated authorization. See OAuth 2.0 vs OIDC vs SAML.
  • "XML signatures are safe by default." Signature-wrapping attacks are a documented class of SAML vulnerability. Use a maintained library, never hand-roll validation.
← All terms