Our Security Wiki.
Knowledge is power.

What is Security Assertion Markup Language (SAML)?

Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider (IdP) and a service provider (SP). SAML is primarily used for single sign-on (SSO) and web-based authentication in a secure and standardized way.

Here’s how SAML works:

  1. Identity Provider (IdP). The IdP is responsible for authenticating users and providing information about them in the form of SAML assertions. These assertions contain information like the user’s identity and any attributes or permissions related to the user.
  2. Service Provider (SP). The SP is the web application or service that the user wants to access. It relies on the IdP for user authentication and authorization.
  3. User Request. When a user attempts to access a resource on the SP, they are redirected to the IdP for authentication.
  4. Authentication. The IdP authenticates the user using his or her credentials (e.g., username and password) or another method (e.g., multi-factor authentication).
  5. SAML Assertion. After successful authentication, the IdP generates a SAML assertion, which is an XML document containing information about the user, and digitally signs it.
  6. SAML Response. The IdP sends this SAML assertion back to the user’s browser, which in turn sends it to the SP.
  7. SP Verification. The SP receives the SAML assertion, verifies its authenticity by checking the digital signature, and then uses the information in the assertion to make an access control decision. If the user is authorized, they are granted access to the requested resource.

SAML provides a standardized way for different applications and organizations to enable SSO, ensuring that a user only needs to log in once to access multiple services securely. This helps reduce the burden of remembering multiple usernames and passwords, simplifies user management, and enhances security.

It’s important to note that SAML is one of several protocols for achieving SSO, and more recent protocols like OpenID Connect and OAuth 2.0 have gained popularity in modern web applications. However, SAML is still widely used, particularly in enterprise environments and legacy systems that rely on XML-based technologies.



  • What is SAML used for?

    SAML is used for enabling Single Sign-On (SSO) and secure authentication and authorization between identity providers (IdPs) and service providers (SPs) in web applications and services.

  • How does SAML work in a nutshell?

    SAML works by having the identity provider authenticate users and issue SAML assertions, which are then passed to the service provider to grant or deny access to specific resources.

  • What is the difference between SAML and OAuth?

    SAML is primarily used for authentication and SSO, while OAuth is an authorization framework used for granting access to resources. They can be used together in some scenarios, with OAuth handling resource access and SAML handling user authentication.

  • What are the main components of a SAML-based system?

    A SAML-based system typically includes an identity provider (IdP), a service provider (SP), and a user. The IdP authenticates the user, generates SAML assertions, and the SP consumes these assertions to make access control decisions.

  • Is SAML a protocol or a standard?

    SAML is both a protocol and a set of XML-based standards. It defines how information is exchanged between IdPs and SPs and provides a standardized way of representing and exchanging security information.

  • Can SAML be used for mobile applications and APIs?

    Yes, SAML can be used for mobile applications and APIs, but it’s more commonly used for web-based applications. For mobile apps and APIs, other protocols like OAuth 2.0 and OpenID Connect are often preferred.