What Is SAML and How Does Single Sign-On Work?
SAML (Security Assertion Markup Language) is an XML-based standard that lets users log in once and access multiple applications — single sign-on (SSO). An identity provider authenticates the user and sends a signed XML assertion to the service provider, which trusts it and grants access without a separate login.
SAML is the backbone of enterprise SSO. Here's how it works.
The Problem SAML Solves
In a company with dozens of apps, you don't want a separate password for each. SAML centralizes authentication: you log in once to a trusted identity provider, and every connected app accepts that login. One set of credentials, one place to enforce policy, one place to deactivate a departing employee.
The Two Main Roles
- Identity Provider (IdP) — authenticates users and issues assertions (e.g., Okta, Azure AD, Google Workspace).
- Service Provider (SP) — the application the user wants to use (e.g., Salesforce, Slack, an internal app).
The IdP and SP establish trust ahead of time by exchanging metadata and signing certificates.
How the SAML SSO Flow Works
The common SP-initiated flow:
- You visit the app (SP) and try to access a protected page.
- The SP redirects your browser to the IdP with a SAML authentication request.
- You authenticate at the IdP (if not already logged in).
- The IdP returns a signed SAML response (containing an assertion) to your browser, which posts it back to the SP.
- The SP validates the signature and logs you in.
The SAML response is Base64-encoded (and often deflated) XML. Decode and inspect one with our SAML Decoder, and check signatures/conditions with the SAML Validator.
Inside a SAML Assertion
The assertion is the heart of SAML — the signed XML statement about the user:
<saml:Assertion>
<saml:Subject>
<saml:NameID>jane@example.com</saml:NameID>
</saml:Subject>
<saml:Conditions NotBefore="..." NotOnOrAfter="..."/>
<saml:AttributeStatement>
<saml:Attribute Name="role"><saml:AttributeValue>admin</saml:AttributeValue></saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
It carries three kinds of statements: authentication (how/when the user logged in), attribute (user details like email and role), and authorization. The IdP's digital signature is what makes the SP trust it — see What Is a Digital Certificate?.
SAML vs OAuth vs OIDC
| SAML | OAuth 2.0 | OIDC | |
|---|---|---|---|
| Format | XML | JSON/tokens | JSON (JWT) |
| Purpose | Authentication (SSO) | Authorization | Authentication |
| Best for | Enterprise web SSO | API access delegation | Modern app/mobile login |
SAML excels at enterprise web SSO; OAuth handles API authorization; OIDC is the modern JSON-based login layer. Full comparison in SAML vs OAuth vs OIDC.
Frequently Asked Questions
What is SAML? An XML-based standard for single sign-on, where an identity provider authenticates a user and sends a signed assertion to an application to grant access.
How does SAML single sign-on work? You're redirected from the app to the identity provider to log in; the IdP returns a signed SAML response that the app validates and uses to log you in.
What is a SAML assertion? The signed XML statement from the IdP containing the user's identity, attributes (like email and role), and authentication details.
What's the difference between SAML and OAuth? SAML is XML-based and built for authentication/SSO; OAuth is token-based and built for authorization (granting apps access to APIs).
What is an Identity Provider (IdP)? The trusted service that authenticates users and issues SAML assertions, such as Okta, Azure AD, or Google Workspace.
Related Reading
SAML's XML can look intimidating, but the idea is simple: a trusted identity provider vouches for you with a signed assertion, and every connected app accepts it — so you log in once and work everywhere.