SAML 2.0
What it is
SAML 2.0 (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization assertions between an identity provider and a service provider. It has powered enterprise web single sign-on since 2005, and if you sell to enterprises you will be asked to support it because that is what their identity providers speak.
How it works
The identity provider (IdP) authenticates the user and issues a signed XML assertion to the service provider (SP), which trusts it and grants access.
- Assertion: a signed XML document stating who the user is and when they authenticated.
- SP-initiated vs IdP-initiated: the flow can start at the application or at the identity provider's portal.
- Metadata: IdP and SP exchange metadata describing endpoints and signing keys.
Status
SAML 2.0 is a stable OASIS standard and remains deeply entrenched in enterprise IT. For new consumer, mobile, and API-centric apps, OpenID Connect is the better choice, but most enterprises still require SAML for workforce SSO, so platforms support both.
When to use it
When integrating with enterprise customers or established corporate identity providers. For greenfield modern apps, prefer OIDC.
Pitfalls
- XML signature handling is historically error-prone; rely on a vetted library, never hand-roll validation.
- Validate signatures, audience, and conditions; misconfigured SAML has produced serious authentication bypasses.
Related
Guide: SAML vs OIDC, SSO implementation. Glossary: SAML, federation.
SAML 2.0: frequently asked questions
- What is SAML 2.0?
- SAML 2.0 (Security Assertion Markup Language) is an XML-based open standard for exchanging authentication and authorization data between an identity provider and a service provider. It has powered enterprise web single sign-on since 2005 and remains the protocol most corporate identity providers speak.
- What is the difference between SAML and OIDC?
- SAML 2.0 is an older XML-based standard built for browser-based enterprise SSO, while OpenID Connect is a modern JSON and JWT-based protocol built for web, mobile, and APIs. Both do single sign-on; new applications usually choose OIDC, but SAML persists because enterprise identity providers and legacy integrations still require it.
- What is the difference between SP-initiated and IdP-initiated SAML?
- In an SP-initiated flow, the user starts at the application (service provider), which redirects them to the identity provider to authenticate. In an IdP-initiated flow, the user starts at the identity provider's portal and launches the application from there. SP-initiated is generally preferred because IdP-initiated flows are more exposed to certain replay and injection risks.
- Is SAML 2.0 still used in 2026?
- Yes. SAML 2.0 is a stable OASIS standard and remains deeply entrenched for workforce SSO across enterprises. Most identity platforms support both SAML and OIDC, so vendors selling to enterprises are still expected to support SAML.