/ˈsæm-əl/
n. “Speak once, be heard everywhere.”
SAML, short for Security Assertion Markup Language, is an open standard for exchanging authentication and authorization data between parties, specifically between an identity provider (IdP) and a service provider (SP). Its core purpose is to enable Single Sign-On (SSO) across different domains securely and efficiently.
At its essence, SAML defines a set of XML-based assertions that convey information about a user’s identity and entitlements. When a user attempts to access a service, the service redirects the user to the IdP. After authenticating, the IdP sends back a digitally signed SAML assertion. The service provider consumes this assertion to grant or deny access without requiring the user to re-enter credentials.
SAML is particularly prevalent in enterprise environments, educational institutions, and cloud services. Its adoption allows organizations to maintain centralized identity management, enforce consistent authentication policies, and streamline onboarding and offboarding. By consolidating authentication through an IdP, administrators can reduce password fatigue and enhance security monitoring.
A typical SAML flow involves three key roles: the principal (user), the identity provider, and the service provider. The principal requests access to a service, the IdP authenticates the principal, and issues a signed assertion. The service provider verifies the assertion and grants access. This workflow eliminates repeated logins while maintaining strong cryptographic assurance of identity and integrity.
SAML is often compared to OAuth and OpenID Connect, but it differs in that it is primarily designed for enterprise SSO and federated identity scenarios rather than delegated authorization for APIs. Its XML-based design makes it verbose but highly expressive, supporting complex attribute statements and role-based access control.
Security considerations are critical. SAML assertions must be digitally signed to prevent tampering, and transport over HTTPS ensures confidentiality. Misconfigurations, expired assertions, or replay attacks can compromise trust if not mitigated. Organizations often pair SAML with strong identity verification, multifactor authentication, and strict session management.
In practical terms, SAML allows a user to log into a corporate portal once and gain access to multiple applications—email, HR tools, file storage, and collaboration platforms—without repeated logins. Developers can integrate SAML to provide seamless SSO for web applications, reducing friction and centralizing security.
SAML has been around since the early 2000s and remains a cornerstone of federated identity management. Despite newer protocols like OpenID Connect gaining popularity for modern cloud-native apps, SAML continues to power millions of enterprise logins worldwide, offering a balance of interoperability, security, and centralized identity control.