Table of Contents
Key terms to know
Security Assertion Markup Language (SAML) is a cornerstone for sharing authentication and authorization data between different systems. The SAML protocol is one of the most common methods for delivering single sign-on (SSO), though the nearly quarter-century-old standard has begun to show its age.
Below, we cover the fundamentals of SAML, showing its role in facilitating safe communications between users and web services without sacrificing convenience.
Main points:
SAML is a long-standing SSO protocol primarily used by enterprises to allow users to log in to separate applications using just one set of credentials.
While SAML is deeply embedded in enterprise identity management, OpenID Connect (OIDC) is often compared against it as a more modern, mobile, consumer-facing alternative.
Despite its age, SAML still has much to offer when implemented properly: less compliance overhead, stronger security, and a lower-friction user experience.
Key terms to know
Before we dive into SAML specifics, it’s worth noting these essential terms:
Identity Provider (IdP): The IdP is the entity responsible for confirming the identity of the user and passing along the authentication and authorization to the service provider (SP). Common IdPs include Descope, Microsoft Entra ID, and Okta.
Service Provider (SP): The SP is the entity the user is trying to access. The SP receives the data from the IdP and grants the user access. Some applications, like Salesforce or Descope, can act as both IdPs and SPs.
SAML assertion: An XML document sent from the IdP to the SP containing claims about the user. These claims take three forms: authentication assertions (confirming the user is logged in), attribute assertions (passing user details, like name or email), and authorization decision assertions (indicating what the user is permitted to access).
What is SAML?
SAML is an open standard that uses Extensible Markup Language (XML) to pass user data between web-based IdPs and SPs. It acts as the intermediary that verifies user credentials with IdPs, ensuring swift and secure access to resources and applications.
It is commonly used for single sign-on (SSO) and other forms of federated identity management, which allow users to access multiple web applications with a single set of credentials. This simplifies the login process while relieving application owners of the complexities of user authentication.
The first version of SAML, SAML 1.0, was released in November 2001. It laid the foundation for secure identity and attribute exchange in web-based applications. In March 2005, SAML 2.0 was published, introducing more robust security features, greater flexibility, and broader adoption. SAML 2.0 remains the most widely used version today.
B2B Enterprise Readiness Checklist
Score your tech stack on enterprise readiness pillars - from dev and IT experience to security and architecture.
DownloadSAML vs. SSO
While SAML and SSO are closely related and often confused, they are not the same. In essence, SAML is one of the protocols that governs SSO implementation.
SSO is a user authentication method that allows a user to access multiple applications with one set of credentials. SAML is one of several protocols (others include OAuth and OpenID Connect) that can be used for SSO.
SAML vs. OAuth
While both protocols deal with authentication and authorization, they excel in different areas. SAML is well-suited for enterprise applications and establishing trust between organizations in federated identity scenarios. In contrast, OAuth authorizes third-party applications to access user data securely.
Imagine you're going to Six Flags amusement park. When you arrive, the park staff will check two things before letting you in: your ID and your ticket.
First, they'll look at some form of government-issued identification (like a driver's license) to ensure you are who you claim to be. This is similar to how SAML works. It validates your identity.
Second, they'll check your ticket, which determines the type of access you have within the park. Your ticket might grant access to the fast lane, unlimited rides, or VIP areas. This is like OAuth, as it controls what actions or resources you're authorized to use.
Read more: SAML vs OAuth Differences Explained
SAML vs. OIDC
OIDC is a federation protocol that lets a third-party application (the Relying Party) verify a user's identity through an OIDC provider, such as Descope or Microsoft, without handling the user's credentials directly.
OIDC builds on the OAuth framework, giving apps access to user account information without requesting credentials, but it authenticates the user in the process. Both the OAuth vs. OIDC and SAML vs OAuth conversations can be confusing, as all OIDC implementations run on OAuth. The simplest explanation is that OIDC is the add-on to OAuth that makes SSO possible.
While both SAML and OIDC deal with authentication and authorization to enable SSO, they excel in different areas. SAML is browser-centric and XML-based, making it well-suited for enterprise applications and establishing trust between organizations in federated identity scenarios. OIDC integrates better with mobile apps and APIs due to the use of JSON Web Tokens, making it a good fit for consumer-facing scenarios and integration with modern identity systems.
Trait | SAML | OIDC |
|---|---|---|
Purpose | Secure data exchange for authentication and authorization, primarily in web-based enterprises | User authentication built on the OAuth authorization framework, providing a flexible security model |
Data Format | XML-based assertions | JSON Web Tokens (e.g., access tokens, refresh tokens) |
Primary Use Cases | SSO and federated identity management | Mobile APIs, delegated access to user data, single-page applications |
Speed and Performance | Slower than OIDC tokens due to the transmission of larger XML documents | Lean and flexible, designed to work with contemporary technologies |
SAML vs LDAP
SAML and Lightweight Directory Access Protocol (LDAP) serve different purposes and have distinct features and use cases.
LDAP is a protocol used for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. It looks up information in directory listings often used for storing organizational entities like users, groups, and their associated details
LDAP can authenticate users in a single system or across a limited number of closely related systems.
Trait | SAML | LDAP |
|---|---|---|
Purpose | Secure data exchange for authentication and authorization, mainly for web-based applications | Directory service for storing, retrieving, and managing structured data, including user and resource information |
Data Format | XML-based assertions | Hierarchical data structure |
Primary Use Cases | SSO and federated identity | Centralized user account management and directory services for authentication / authorization |
Authentication | Focuses on user identity and access control in web applications | Primarily focused on authentication and data retrieval from the directory service |
Authorization | Manages user permissions within web applications | Typically does not handle authorization directly; it provides user data for authorization decisions |
How does SAML work?
At its core, SAML is the linchpin for exchanging authentication and authorization data between IdPs and SPs. Note that SSO logins can either begin with the Service Provider (like Slack or Jira) or the Identity Provider (like Okta or Descope). Both SP-initiated and IdP-initiated flows are valid; choosing between the two is a matter of organizational preference.
Here's how the SAML process works, and how SPs and IdPs fit into it:
User request: A user tries to access the SP.
Redirect to IdP: The SP redirects the user to the IdP for authentication.
User authentication: The user logs in with the IdP, which verifies the credentials.
SAML assertion: The IdP creates a SAML assertion and sends it back to the SP.
Access Granted: The SP receives the SAML assertion, validates it, and grants the user access to the requested service.

SAML example
Let’s consider the following example to understand better how SAML works. Consider the following scenario:
The user works at an organization that uses SAML SSO for workforce applications.
The user is trying to access SpaceBNB, an application meant for renting spots on other planets (why not?). In this case, SpaceBNB is the SP.
The user’s employer uses Authsome to manage user authentication. Authsome is the IdP.
So it goes like this:
Step 1: The user tries to log in to SpaceBNB from their web browser.
Step 2: SpaceBNB generates a SAML request.
Step 3: The browser redirects the user to an SSO URL from Authsome. Authsome parses the SAML request and authenticates the user (with username-password, social login, OTP, etc.). This step will be skipped if the user already has an existing session with Authsome.
Step 4: Authsome generates a SAML response and sends it to the browser. This response contains assertions about the user’s identity and other attributes.
Step 5: The browser sends the SAML response to SpaceBNB for verification.
Step 6: SpaceBNB checks that the response from Authsome is legitimate and that none of the attributes have been modified.
Step 7: SpaceBNB extracts the user’s identity and other relevant attributes from the SAML response and logs the user in.
In this example, the user can log in to SpaceBNB without creating or remembering another set of unique account credentials. Since SpaceBNB delegates user authentication to Authsome, app builders do not have to worry about storing user passwords, managing password reset flows, and other organizational overhead.
Benefits of SAML
Here are some key advantages of using SAML authentication.
Enhanced security
SAML reduces the attack surface by eliminating the need for SPs to store user credentials, making app servers less attractive targets for cybercriminals. By reducing the number of passwords in circulation, SAML minimizes the likelihood and impact of attacks like credential stuffing and phishing.
Improved user experience
SAML streamlines the login process, resulting in a faster and more convenient user experience. Rather than creating and remembering unique passwords for every application, users simply navigate to the desired application and are authenticated by the IdP. The only credential they need to remember is the one used for the IdP.
IdPs that use passwordless authentication further improve user experience by freeing users from maintaining complex passwords.
Streamlined app development
By using SAML, SPs can place the burden of strong authentication and identity management on the IdP. This means app developers no longer have to expend resources on password management and storage, protecting against password-based attacks, and implementing password reset flows. These resources can now be diverted to the SP’s area of expertise and focus.
Reduced compliance overhead
In industries or organizations where compliance is crucial, SAML’s ability to streamline authentication and authorization presents real value. When secure sign-ons are centralized through a single IdP, it’s faster and easier to audit user activity or gather evidence. That efficiency can translate into significant cost savings.
Descope: The best way to integrate SAML SSO
SAML can simplify user authentication, enhance security, and streamline access to multiple web applications. It’s a tried-and-tested way to improve the user experience without compromising security.
However, learning and debugging SAML can be a complex and time-consuming process. Descope is a modern Customer Identity and Access Management (CIAM) platform that helps developers easily add SAML SSO to their apps with no-code workflows, including the SSO Setup Suite for self-service tenant admin configuration. With identity federation, Descope can also broker connections between any combination of SAML / OIDC clients and IdPs, helping customers unify user identities across customer-facing applications.
To learn more about SAML and your SSO options, book a demo with our auth experts. If you prefer getting hands-on right away, sign up for a Free Forever account with Descope and start integrating SAML today.




