SAML
What is SAML?
SAMLAn XML-based open standard for exchanging authentication and authorization assertions between an identity provider and a service provider.
SAML (Security Assertion Markup Language) defines how a trusted identity provider (IdP) can issue signed XML assertions describing a user's identity and attributes to a service provider (SP), enabling web single sign-on across security domains. The most widely used version, SAML 2.0, supports browser-redirect and POST bindings; the SP validates the assertion's signature, audience and time conditions before establishing a session. SAML remains dominant in enterprise SSO because of its rich attribute model and mature tooling, but it is verbose, hard to use on mobile and APIs, and prone to misconfiguration (XML signature wrapping attacks, missing audience checks). For new integrations OpenID Connect is often preferred.
● Examples
- 01
An enterprise IdP issuing a SAML assertion so users can sign in to Salesforce.
- 02
A Service Provider validating a signed AuthnResponse from Microsoft Entra ID.
● Frequently asked questions
What is SAML?
An XML-based open standard for exchanging authentication and authorization assertions between an identity provider and a service provider. It belongs to the Identity & Access category of cybersecurity.
What does SAML mean?
An XML-based open standard for exchanging authentication and authorization assertions between an identity provider and a service provider.
How do you defend against SAML?
Defences for SAML typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SAML?
Common alternative names include: SAML 2.0, Security Assertion Markup Language.