Sign in Subscribe
By Sahil Kapoor -

SAML

SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). It is the dominant federation protocol in enterprise SSO, where employees authenticate once at a corporate IdP and access many third-party applications.

How it works

When a user attempts to access an SP, the SP redirects the browser to the IdP with a SAML AuthnRequest. The IdP authenticates the user (using whatever local mechanism it has) and posts a signed SAML Response back to the SP via the user's browser. The SP validates the signature and extracts the user identity and any attributes from the assertion. From that point, the SP creates a local session.

SAML vs OIDC

  • SAML is XML-based, browser-mediated, dominant in B2B enterprise SSO.
  • OIDC is JSON-based, works for browsers, native apps, and APIs, dominant in consumer and modern application stacks.
  • Most modern identity platforms support both for compatibility.
🔗
Related Terms
OIDC, OAuth 2.0, JWT, Authorization Server, Session.

Subscribe to Sahil's Playbook

Clear thinking on product, engineering, and building at scale. No noise. One email when there's something worth sharing.
[email protected]
Subscribe
Mastodon