SAML — Explained with Examples

SAML (Security Assertion Markup Language) is an XML-based open standard for exchanging authentication and authorization data between identity and service providers.

SAML stands for Security Assertion Markup Language (version 2.0, defined in 2005). It’s the dominant SSO protocol in enterprise environments, powering integrations between corporate identity providers and thousands of SaaS applications.

SAML Roles

• Identity Provider (IdP) — authenticates users and issues SAML assertions (e.g., Okta, Azure AD, OneLogin)
• Service Provider (SP) — the application the user wants to access (e.g., Salesforce, Slack, Workday)

SAML Flow

1. User tries to access SP (e.g., Salesforce)
2. SP generates SAML request → redirects user to IdP
3. IdP authenticates user (password, MFA, etc.)
4. IdP generates SAML response (XML assertion) → sends to SP
5. SP validates assertion → grants access

<!-- SAML Assertion (simplified) -->
<saml:Assertion>
  <saml:Subject>
    <saml:NameID>alice@corp.com</saml:NameID>
  </saml:Subject>
  <saml:Conditions NotBefore="2026-06-19T10:00:00Z"
                   NotOnOrAfter="2026-06-19T18:00:00Z"/>
  <saml:AttributeStatement>
    <saml:Attribute Name="email">
      <saml:AttributeValue>alice@corp.com</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="role">
      <saml:AttributeValue>admin</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>

Real-World Analogy

SAML is like a notarized document. You bring your ID (password) to a notary (IdP). The notary checks your ID and stamps a document confirming “this person is Alice, and she’s authorized to sign contracts up to $10,000.” You bring that stamped document to the bank (SP), which trusts the notary’s stamp and lets you open an account. The bank doesn’t need to see your ID because they trust the notary’s signature.

SAML vs OIDC

Related Terms

SSO, OAuth, OpenID Connect, XML, LDAP