SAML (Security Assertion Markup Language) is an XML-based SSO protocol from 2005. It’s the standard enterprise identity providers (Okta, Microsoft Entra, Ping, OneLogin) use to federate sign-in between your app and the customer’s IdP.
The basic flow
- User visits your app (the Service Provider, or SP)
- Your app redirects them to the customer’s IdP with a SAML AuthnRequest
- User authenticates with the IdP
- IdP sends a signed SAML Response back to your app
- Your app verifies the signature and extracts the user’s identity from the XML
Why it’s still around
SAML is old and chattier than modern protocols like OIDC, but it’s deeply entrenched in enterprise IT. Every Fortune-500 IdP speaks SAML. If you sell to enterprises, you’ll support SAML.
What makes it painful
- XML signature validation has several canonicalization algorithms, and mismatches produce cryptic errors
- Every IdP implements attribute names slightly differently
- Metadata exchange is its own mini-protocol
Don’t hand-roll SAML. Use a library like passport-saml or python3-saml, or outsource it to a managed provider.
See the full auth glossary for related terms.