eastbaycyber

SAML (Security Assertion Markup Language): Definition, Flow, and Where You’ll See It

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

SAML (Security Assertion Markup Language) is an open standard that allows an Identity Provider (IdP) to authenticate a user and send a signed assertion to a Service Provider (SP). The SP then creates an authenticated session for the user—typically without the user entering a separate password in the SP.

SAML (Security Assertion Markup Language) is an XML-based standard that enables SSO (Single Sign-On) by letting an Identity Provider (IdP) authenticate a user and send a signed assertion to a Service Provider (SP). In most enterprises, SAML is the “glue” that connects a central workforce identity system to SaaS apps—so users sign in once, and apps rely on the IdP’s decision.

Because SAML sits on the critical path of authentication, treat it like a high-value security integration: enforce MFA at the IdP, lock down certificates, and monitor sign-in and SSO logs.

How SAML works (SSO and federation)

SAML is a form of federation: the application you’re trying to access (the SP) trusts an external identity system (the IdP) to authenticate users. Instead of the app managing passwords, it relies on SAML assertions from the IdP, typically delivered via the user’s browser.

A SAML integration usually includes:

  • Trust configuration: exchanging metadata (URLs, entity IDs, and signing certificates)
  • Browser redirects/posts: moving the user between SP and IdP
  • Signed (and sometimes encrypted) assertions: proving who the user is and which attributes they have
  • Policy enforcement at the IdP: MFA, conditional access, and account lifecycle controls

The actors and artifacts

  • Identity Provider (IdP): Authenticates the user (passwordless, MFA, etc.) and issues SAML assertions
  • Service Provider (SP): The app that consumes the assertion and grants access
  • SAML assertion: An XML document stating “this user authenticated,” often including attributes (email, groups)
  • Metadata: XML documents describing endpoints and certificates
  • SP metadata: ACS URL (where to send assertions), SP entity ID, signing requirements
  • IdP metadata: SSO URL, IdP entity ID, signing certificate, optional SLO endpoint

Typical SAML SSO flows

There are two common starting points.

1) SP-initiated SSO (most common)

  1. User visits the application (SP).
  2. SP generates a SAML AuthnRequest and redirects the browser to the IdP’s SSO endpoint.
  3. IdP authenticates the user (or uses an existing IdP session) and applies MFA/conditional access.
  4. IdP posts a SAMLResponse (with an assertion) back to the SP’s ACS (Assertion Consumer Service) URL—commonly via an auto-submitting HTML form.
  5. SP validates the assertion and creates an application session.

2) IdP-initiated SSO

  1. User starts in an IdP portal/app launcher.
  2. IdP directly posts a SAMLResponse to the SP’s ACS URL.
  3. SP validates and logs the user in.

IdP-initiated SSO can be convenient, but SP-initiated is often easier to reason about for security and troubleshooting because the response is tied to a specific request.

What the service provider must validate (non-negotiable)

SAML security depends heavily on the SP enforcing strict checks. At minimum, validate:

  • XML signature: The assertion and/or response is signed by the IdP’s trusted certificate
  • Issuer: The assertion came from the expected IdP entity ID
  • Audience restriction: The assertion is intended for this SP (helps prevent token reuse elsewhere)
  • Recipient / ACS URL: The response is delivered to the expected endpoint (exact match for scheme/host/path)
  • Time conditions: NotBefore / NotOnOrAfter are valid (allow minimal clock skew)
  • InResponseTo (especially for SP-initiated): prevents replay/unsolicited assertion acceptance
  • NameID / subject mapping: maps to the correct local account (or aligns with just-in-time provisioning rules)

If you’re building or hardening a broader security program around identity, also consider how you detect downstream indicators of account misuse—understanding what an IOC is can help teams correlate suspicious SSO activity with other signals: what is an ioc.

What a SAML assertion looks like (high-level)

<saml:Assertion>
  <saml:Issuer>https://idp.example.com/metadata</saml:Issuer>
  <saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
      alice@example.com
    </saml:NameID>
    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml:SubjectConfirmationData Recipient="https://sp.example.com/saml/acs"
        NotOnOrAfter="2026-05-16T12:34:56Z" InResponseTo="_abc123"/>
    </saml:SubjectConfirmation>
  </saml:Subject>

  <saml:Conditions NotBefore="2026-05-16T12:29:56Z" NotOnOrAfter="2026-05-16T12:34:56Z">
    <saml:AudienceRestriction>
      <saml:Audience>https://sp.example.com/saml/metadata</saml:Audience>
    </saml:AudienceRestriction>
  </saml:Conditions>

  <saml:AttributeStatement>
    <saml:Attribute Name="email"><saml:AttributeValue>alice@example.com</saml:AttributeValue></saml:Attribute>
    <saml:Attribute Name="groups"><saml:AttributeValue>Finance</saml:AttributeValue></saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>

Troubleshooting SAML with a captured SAMLResponse

When SAML breaks, most issues come down to configuration mismatch (entity IDs/URLs/certs), time drift, or attribute mapping.

A quick way to inspect a SAMLResponse:

1) Base64-decode it
2) (Optionally) pretty-print the XML

# If you copied the SAMLResponse value (base64) from a browser plugin or logs:
python3 - <<'PY'
import base64, sys
b64 = sys.stdin.read().strip()
print(base64.b64decode(b64 + "===" ).decode("utf-8", errors="replace"))
PY

What to look for in the decoded XML

  • Issuer matches the configured IdP
  • Audience matches the SP entity ID
  • Recipient matches the ACS URL exactly (scheme/host/path)
  • NotOnOrAfter isn’t expired (check system time/NTP)
  • Required attributes (email/UPN/groups) are present and in expected formats

Common log patterns

Even if messages vary by vendor, errors often fall into these buckets:

  • Signature/certificate errors
  • “Signature validation failed”
  • “Unable to verify SAML response signature”
  • “Certificate not trusted / unknown key”
  • Audience / entity ID mismatch
  • “Invalid audience”
  • “AudienceRestriction validation failed”
  • ACS/recipient mismatch
  • “Recipient mismatch”
  • “Destination/ACS URL invalid”
  • Time validity
  • “Assertion expired”
  • “NotOnOrAfter condition failed”
  • User mapping
  • “No user found for NameID”
  • “Attribute ‘email’ missing”

Operationally, ensure you can correlate: - User identity (email/UPN) - SP application identifier - Assertion ID / request ID (InResponseTo) - Source IP / device context - IdP authentication method (MFA vs not)

When you’ll encounter SAML in real environments

SAML shows up wherever organizations want centralized authentication and access governance without each app storing passwords.

1) Workforce SSO for SaaS

  • Employees sign into apps using a corporate IdP.
  • Security teams enforce MFA and conditional access in one place.

2) B2B federation

  • A partner company authenticates their users with their own IdP, and your app (SP) trusts it.
  • Useful for vendor portals or shared services, but requires careful scoping (audience, attributes, provisioning).

3) Legacy or enterprise web apps

  • Many older enterprise systems support SAML 2.0 even if they don’t support newer protocols.
  • Common in mixed on‑prem and cloud environments.

4) Access governance and lifecycle

  • User attributes and group membership in SAML assertions can drive authorization decisions in the app.
  • Often paired with provisioning (SCIM or app-native) to align “who can log in” with “who exists.”

Admin and security checklist (what to prioritize)

  • Enforce MFA at the IdP for SAML apps, especially privileged apps
  • Minimize assertion lifetime and ensure NTP/time sync everywhere
  • Rotate IdP signing certificates safely
  • Prefer metadata-based trust where possible
  • Plan overlap periods (old + new cert) to prevent outages
  • Prefer signed assertions (and signed responses); consider encryption if sensitive attributes are included
  • Tight attribute release: only send required attributes; avoid oversharing groups or personal data
  • Monitor SSO anomalies: unusual IPs, impossible travel, repeated failures, newly added SP integrations

If you want to extend monitoring and response beyond the IdP/SP logs, many orgs pair identity controls with managed detection and response; see what is mdr for how MDR is typically defined and used.

For teams that need to secure remote access while keeping authentication centralized, a business VPN can complement identity controls (especially for admin workflows and untrusted networks). If you’re evaluating options, NordVPN is available here: Check NordVPN pricing →. For password hygiene alongside SSO (e.g., break-glass accounts, non-SAML apps, and admin credentials), 1Password is available here: Try 1Password →.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Related terms

SSO (Single Sign-On)

One login session grants access to multiple apps; SAML is a common SSO mechanism for browser-based enterprise apps.

IdP (Identity Provider)

Authenticates the user and issues SAML assertions.

SP (Service Provider)

Consumes assertions and creates an app session.

Federation

Trust relationship between systems/organizations to accept each other’s authentication.

Assertion

The signed token containing authentication info and attributes.

ACS URL (Assertion Consumer Service)

SP endpoint that receives the SAMLResponse.

Entity ID

Unique identifier for an IdP or SP in SAML metadata; mismatches commonly cause failures.

MFA (Multi-Factor Authentication)

Strong authentication enforced at the IdP for SAML logins.

SCIM

Provisioning standard often used alongside SAML (SAML handles login; SCIM handles user lifecycle).

OIDC / OAuth 2.0

More modern JSON-based standards often used for consumer and API use cases; many orgs use OIDC for new apps and SAML for legacy/enterprise SaaS.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.