image de chargement
Back to glossary

SAML (Security Assertion Markup Language)

XML-based standard for single sign-on (SSO) enabling secure identity information exchange between identity providers and applications.

Updated on January 13, 2026

SAML (Security Assertion Markup Language) is an XML-based open standard that enables single sign-on (SSO) and secure identity information exchange between an Identity Provider (IdP) and a Service Provider (SP). Developed by the OASIS Security Services Technical Committee, SAML eliminates the need to manage multiple credentials by allowing users to authenticate once to access multiple applications. This protocol is particularly prevalent in enterprise environments and B2B solutions requiring centralized identity management.

SAML Fundamentals

  • Digitally signed XML assertions containing authentication, attribute, and authorization statements
  • Three-party architecture: the user (principal), the Identity Provider (IdP), and the Service Provider (SP)
  • Authentication flows initiated by SP (SP-initiated) or IdP (IdP-initiated) with HTTP redirects
  • Protocol bindings using HTTP POST, HTTP Redirect, or SOAP for message transport

Strategic Benefits

  • Enhanced user experience: single authentication to access all authorized applications
  • Strengthened security: centralized authentication, reduced attack vectors, and MFA support
  • Reduced IT costs: fewer password reset requests and simplified access management
  • Facilitated compliance: centralized access auditing and enforcement of enterprise security policies
  • Interoperability: widely supported standard across SaaS solutions and enterprise platforms

SAML Flow Example

saml-assertion-example.xml
<?xml version="1.0" encoding="UTF-8"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6"
                Version="2.0"
                IssueInstant="2024-01-15T09:30:47Z">
  <saml:Issuer>https://idp.example.com</saml:Issuer>
  <saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
      user@company.com
    </saml:NameID>
    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml:SubjectConfirmationData
          NotOnOrAfter="2024-01-15T09:35:47Z"
          Recipient="https://app.example.com/saml/acs"/>
    </saml:SubjectConfirmation>
  </saml:Subject>
  <saml:Conditions NotBefore="2024-01-15T09:30:17Z"
                   NotOnOrAfter="2024-01-15T09:35:47Z">
    <saml:AudienceRestriction>
      <saml:Audience>https://app.example.com</saml:Audience>
    </saml:AudienceRestriction>
  </saml:Conditions>
  <saml:AuthnStatement AuthnInstant="2024-01-15T09:30:47Z">
    <saml:AuthnContext>
      <saml:AuthnContextClassRef>
        urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
      </saml:AuthnContextClassRef>
    </saml:AuthnContext>
  </saml:AuthnStatement>
  <saml:AttributeStatement>
    <saml:Attribute Name="email">
      <saml:AttributeValue>user@company.com</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="role">
      <saml:AttributeValue>admin</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>

SAML Implementation

  1. Select and configure a SAML Identity Provider (Okta, Azure AD, Auth0, Keycloak)
  2. Register the application (SP) with the IdP using SAML metadata (ACS URL, Entity ID)
  3. Configure X.509 certificates for signing and encrypting SAML assertions
  4. Implement the ACS (Assertion Consumer Service) endpoint on the application side to process SAML responses
  5. Define attribute mappings between the IdP and application (email, roles, groups)
  6. Test both SP-initiated and IdP-initiated flows using SAML validation tools
  7. Configure session management and Single Logout (SLO) functionality
  8. Establish monitoring and audit logging for SAML authentications

Security Best Practice

Always validate SAML assertion signatures on the SP side and implement strict verification of temporal conditions (NotBefore, NotOnOrAfter) to prevent replay attacks. Use SAML 2.0 exclusively and enable assertion encryption for sensitive data. Also configure certificate rotation policies to maintain long-term security.

SAML Tools and Platforms

  • Identity Providers: Okta, Microsoft Azure AD, Google Workspace, Auth0, OneLogin, Keycloak
  • Integration libraries: passport-saml (Node.js), python3-saml (Python), ruby-saml (Ruby), OneLogin SAML Toolkits
  • Debugging tools: SAML-tracer (browser extension), SAMLTool.com, SAML Chrome Panel
  • Open-source solutions: SimpleSAMLphp, Shibboleth, WSO2 Identity Server

SAML remains the reference standard for enterprise single sign-on, particularly for integration with legacy systems and B2B SaaS solutions. While OAuth 2.0 and OpenID Connect are gaining popularity for modern and mobile architectures, SAML offers proven maturity, extensive support, and robust enterprise features. For organizations looking to modernize their identity infrastructure while maintaining compatibility with existing applications, a hybrid strategy combining SAML for enterprise applications and OIDC for new cloud-native applications often represents the best approach.

Themoneyisalreadyonthetable.

In 1 hour, discover exactly how much you're losing and how to recover it.

Agence de développement web, automatisation & IA

contact@peaklab.fr
Follow us

© PeakLab 2025

Mentions légalesPolitique de confidentialitéPlan du site