Authn.tech
Home
  • SAML 2.0
  • OAuth 2.0
  • OIDC
  • WebAuthn / Passkey
  • MFA / TOTP
  • LDAP
  • All Tools
  • JWT Decode
  • JWT Sign
  • JWK Gen
  • JWK → PEM
  • PEM → JWK
  • PKCE Gen
  • OIDC Discovery
  • TOTP
  • WebAuthn
  • SAML Codec
  • SAML Metadata
  • SAML Response
  • X.509 Cert
  • PEM Inspect
  • Base64URL
  • LDAP Filter
  • Overview & Roles
  • OIDC Mock
  • SAML Mock
  • Mail Server
  • LDAP Directory
  • OIDC Login Demo
  • SAML Login Demo
  • 简体中文
  • English
  • Deutsch
GitHub
Home
  • SAML 2.0
  • OAuth 2.0
  • OIDC
  • WebAuthn / Passkey
  • MFA / TOTP
  • LDAP
  • All Tools
  • JWT Decode
  • JWT Sign
  • JWK Gen
  • JWK → PEM
  • PEM → JWK
  • PKCE Gen
  • OIDC Discovery
  • TOTP
  • WebAuthn
  • SAML Codec
  • SAML Metadata
  • SAML Response
  • X.509 Cert
  • PEM Inspect
  • Base64URL
  • LDAP Filter
  • Overview & Roles
  • OIDC Mock
  • SAML Mock
  • Mail Server
  • LDAP Directory
  • OIDC Login Demo
  • SAML Login Demo
  • 简体中文
  • English
  • Deutsch
GitHub
  • SAML 2.0

    • SAML 2.0 Overview
    • Core Concepts
    • Typical Flows
    • Typical Parameters and Message Reference

SAML 2.0 Overview

What is SAML

SAML (Security Assertion Markup Language) is an open, XML-based standard for exchanging authentication and authorization data across different security domains. It is defined by OASIS (Organization for the Advancement of Structured Information Standards), and the currently widely-used version is SAML 2.0, released in March 2005.

The core problem that SAML solves is: after a user logs in to system A, how can system B safely trust that "this user has been authenticated," without requiring the user to share their password with B? It is the de facto standard protocol for enterprise Single Sign-On (SSO) and remains the preferred approach for many SaaS products integrating with enterprise identity systems.

The basic SAML working model:

  1. Identity Provider (IdP) authenticates users and issues a digitally signed XML document—an Assertion—stating "a certain user completed authentication in a certain way at a certain time and possesses certain attributes."
  2. Service Provider (SP) receives and verifies this Assertion (signature, validity period, audience), then establishes a local session for the user.

Because the Assertion carries the IdP's XML digital signature, the SP can verify its authenticity and integrity offline (in the most common POST Binding) without needing to communicate with the IdP in real-time. This is an important characteristic of the SAML architecture.

Historical Evolution: SAML 1.0 / 1.1 → 2.0

VersionRelease DateNotes
SAML 1.0November 2002OASIS's first version, establishing the foundational Assertion/Protocol/Binding framework
SAML 1.1September 2003Minor revisions, adopted in early federated identity deployments
SAML 2.0March 2005Major version, not backward compatible with 1.1

SAML 2.0 combined three technical lineages: SAML 1.1 itself, Liberty Alliance's ID-FF 1.2 (Identity Federation Framework), and experience from Shibboleth 1.3. Key improvements over 1.1 include:

  • Introduction of standardized <AuthnRequest> messages for SP-initiated SSO (version 1.1 only defined IdP-initiated push);
  • Addition of Single Logout (SLO) protocol;
  • New Metadata specification, allowing endpoints and certificates between SP and IdP to be exchanged in a standardized manner;
  • Introduction of NameID Format (persistent and transient identifiers) and NameID management protocols, supporting privacy-preserving federation scenarios;
  • Support for XML encryption of Assertions, NameIDs, and Attributes.

Tips

Today, new integrations almost never use SAML 1.1. If you encounter a legacy system that only supports 1.1, prioritize upgrading. The two versions have incompatible message formats and namespaces (urn:oasis:names:tc:SAML:1.0:* vs urn:oasis:names:tc:SAML:2.0:*).

OASIS Standard Document Composition

SAML 2.0 is not a single document but a collection of specifications. The four core documents most frequently consulted in engineering are:

DocumentCommon ShorthandContent
Assertions and ProtocolsCore (saml-core-2.0-os)Defines Assertion structure (three Statement types) and request/response protocol messages (AuthnRequest, Response, LogoutRequest, etc.) with XML Schema and processing rules
BindingsBindings (saml-bindings-2.0-os)Defines how protocol messages map to transport: HTTP-Redirect, HTTP-POST, HTTP-Artifact, SOAP, etc.
ProfilesProfiles (saml-profiles-2.0-os)Combines Core + Bindings into interoperable complete use cases; most important are Web Browser SSO Profile and Single Logout Profile
MetadataMetadata (saml-metadata-2.0-os)Defines EntityDescriptor and other metadata formats for exchanging entity identity, endpoints, and certificates

The four-layer relationship can be summarized as: Core defines "what to say," Bindings define "how to transmit," Profiles define "how to conduct complete conversation," and Metadata defines "how the two parties exchange configuration." These concepts are elaborated in detail on the Core Concepts page.

Additionally, there are supplementary documents on Conformance, Security and Privacy Considerations, and Authentication Context, which are worth consulting for troubleshooting and security reviews.

Typical Use Cases

SAML 2.0's most typical—and practically the only still-growing—scenario is enterprise Web SSO / identity federation:

  • Internal enterprise SSO: Employees log in once to the company's IdP (such as AD FS, Keycloak, Ping, Okta, Azure AD / Entra ID) and can access all internal web applications.
  • Enterprise integration with SaaS: When enterprises purchase SaaS products like Salesforce, Workday, or Jira, SAML enables employees to log in using company accounts, with account lifecycle managed centrally by the enterprise (often combined with SCIM for account synchronization).
  • Cross-organizational federation: Academic alliances (such as eduGAIN/Shibboleth ecosystem), trusted identity recognition between government and enterprises.

Positioning vs. OAuth 2.0 / OIDC

DimensionSAML 2.0OAuth 2.0OIDC (OpenID Connect)
Problem SolvedAuthentication + attribute delivery (SSO)Authorization (delegated API access)Authentication (built on OAuth 2.0)
Message FormatXML (signatures/encryption use XML-DSig/XML-Enc)JSON / form parametersJSON, tokens are JWT
Primary CredentialAssertionAccess TokenID Token (+ Access Token)
Client FormTraditional web apps (browser redirect/POST)Web, mobile, SPA, service-to-serviceWeb, mobile, SPA
Mobile/API FriendlinessPoorGoodGood
Enterprise SaaS SupportMature— (not used for login)Rapidly proliferating
Typical ChoiceIntegrating with existing enterprise IdP, SaaS enterprise edition loginOpen API authorizationSSO for new systems—first choice

Selection Recommendation

For new systems, prioritize OIDC; however, if your product will be sold to medium-to-large enterprises, you'll likely encounter SAML regardless—many enterprise IdPs and compliance processes still center on SAML. The two are not mutually exclusive; a common approach is to use Keycloak or similar middleware to bridge protocols (OIDC internally, SAML externally).

Chapter Navigation

  • Core Concepts —— Roles, Assertion, Protocol, Binding, Profile, Metadata, NameID, signatures and encryption
  • Typical Flows —— SP-initiated SSO, IdP-initiated SSO, Single Logout step-by-step flows and complete message examples
  • Typical Parameters and Message Reference —— AuthnRequest/Response element quick reference, StatusCode, NameID Format, troubleshooting quick lookup
Last updated: 7/6/26, 7:49 AM
Contributors: linux, Claude Opus 4.8
Next
Core Concepts