Start with Identity
Subscribe
Standard · stable

SAML 2.0

OASIS SAML v2.0OASISOASIS Standard (2005); still widely deployedOfficial spec ↗

What it is

SAML 2.0 (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization assertions between an identity provider and a service provider. It has powered enterprise web single sign-on since 2005, and if you sell to enterprises you will be asked to support it because that is what their identity providers speak.

How it works

The identity provider (IdP) authenticates the user and issues a signed XML assertion to the service provider (SP), which trusts it and grants access.

  • Assertion: a signed XML document stating who the user is and when they authenticated.
  • SP-initiated vs IdP-initiated: the flow can start at the application or at the identity provider's portal.
  • Metadata: IdP and SP exchange metadata describing endpoints and signing keys.

Status

SAML 2.0 is a stable OASIS standard and remains deeply entrenched in enterprise IT. For new consumer, mobile, and API-centric apps, OpenID Connect is the better choice, but most enterprises still require SAML for workforce SSO, so platforms support both.

When to use it

When integrating with enterprise customers or established corporate identity providers. For greenfield modern apps, prefer OIDC.

Pitfalls

  • XML signature handling is historically error-prone; rely on a vetted library, never hand-roll validation.
  • Validate signatures, audience, and conditions; misconfigured SAML has produced serious authentication bypasses.

Related

Guide: SAML vs OIDC, SSO implementation. Glossary: SAML, federation.

Independent, community-driven reference. Always confirm details against the official specification linked above.