SAML

SAML (Security Assertion Markup Language) is an XML-based single-sign-on (SSO) standard published by OASIS in 2005. Used heavily in enterprise B2B integrations — Okta, Ping Identity, Microsoft AD FS, Google Workspace, every SaaS that sells to large companies.

The model: an Identity Provider (IdP, e.g. Okta) authenticates the user. The user lands at a Service Provider (SP, e.g. Salesforce) with a signed SAML assertion proving who they are. The SP verifies the signature against the IdP’s public key and trusts the claim.

SAML vs OAuth2/OIDC: SAML is older, XML-based, designed for enterprise SSO. OAuth/OIDC are JSON-based, designed originally for delegated authorisation (“allow this app to read my Gmail”) and later extended to authentication (OIDC). New enterprise integrations increasingly use OIDC; existing enterprise SaaS often still requires SAML because customers’ IdPs require it.

The XML signature spec SAML uses is notoriously footgun-y — XML signature wrapping attacks exist on many implementations. Modern libraries (e.g., python-saml, OneLogin’s) handle this correctly by default; rolling your own is a bad idea.