Introduction

Security Assertion Markup Language (SAML) is an XML-based standard that allows users to sign in once and access multiple applications without re-entering their credentials each time. By enabling browser-based single sign-on (SSO), SAML both simplifies the login experience for users and centralizes authentication through a small set of trusted Identity Providers (IdPs).

First released in 2002, SAML gained early traction in enterprise environments and government systems. Over time, it became the dominant SSO protocol for web applications. However, beginning in the mid-2010s, OpenID Connect (OIDC) overtook SAML as the more modern and widely-used SSO protocol. Although SAML remains stable and secure, organizations now primarily use it for legacy systems and enterprise-only applications, as OIDC offers broader platform support and more modern security capabilities.

How Does SAML Work?

When a user attempts to access a protected resource from a service provider (usually a web application) the service provider first redirects the user’s browser to an IdP such as Google, Okta, or Microsoft Active Directory. At the IdP, the user authenticates their identity using their credentials.

After successful authentication, the IdP generates a signed SAML assertion. This assertion includes details about the authenticated user, such as their identity, the time and method of authentication, and associated attributes like email address, username, or department.

Next, the user’s browser sends the SAML assertion back to the service provider. Upon receiving it, the service provider validates the assertion’s signature. Once verified, the service provider establishes a session and grants the user access to the requested application.