SAML (Security Assertion Markup Language): Definition, Flow, and Where You’ll See It
SAML (Security Assertion Markup Language) is an open standard that allows an Identity Provider (IdP) to authenticate a user and send a signed assertion to a Service Provider (SP). The SP then creates an authenticated session for the user—typically without the user entering a separate password in the SP.
SAML (Security Assertion Markup Language) is an XML-based standard that enables SSO (Single Sign-On) by letting an Identity Provider (IdP) authenticate a user and send a signed assertion to a Service Provider (SP). In most enterprises, SAML is the “glue” that connects a central workforce identity system to SaaS apps—so users sign in once, and apps rely on the IdP’s decision.
Because SAML sits on the critical path of authentication, treat it like a high-value security integration: enforce MFA at the IdP, lock down certificates, and monitor sign-in and SSO logs.
How SAML works (SSO and federation)
SAML is a form of federation: the application you’re trying to access (the SP) trusts an external identity system (the IdP) to authenticate users. Instead of the app managing passwords, it relies on SAML assertions from the IdP, typically delivered via the user’s browser.
A SAML integration usually includes:
- Trust configuration: exchanging metadata (URLs, entity IDs, and signing certificates)
- Browser redirects/posts: moving the user between SP and IdP
- Signed (and sometimes encrypted) assertions: proving who the user is and which attributes they have
- Policy enforcement at the IdP: MFA, conditional access, and account lifecycle controls
The actors and artifacts
- Identity Provider (IdP): Authenticates the user (passwordless, MFA, etc.) and issues SAML assertions
- Service Provider (SP): The app that consumes the assertion and grants access
- SAML assertion: An XML document stating “this user authenticated,” often including attributes (email, groups)
- Metadata: XML documents describing endpoints and certificates
- SP metadata: ACS URL (where to send assertions), SP entity ID, signing requirements
- IdP metadata: SSO URL, IdP entity ID, signing certificate, optional SLO endpoint
Typical SAML SSO flows
There are two common starting points.
1) SP-initiated SSO (most common)
- User visits the application (SP).
- SP generates a SAML AuthnRequest and redirects the browser to the IdP’s SSO endpoint.
- IdP authenticates the user (or uses an existing IdP session) and applies MFA/conditional access.
- IdP posts a SAMLResponse (with an assertion) back to the SP’s ACS (Assertion Consumer Service) URL—commonly via an auto-submitting HTML form.
- SP validates the assertion and creates an application session.
2) IdP-initiated SSO
- User starts in an IdP portal/app launcher.
- IdP directly posts a SAMLResponse to the SP’s ACS URL.
- SP validates and logs the user in.
IdP-initiated SSO can be convenient, but SP-initiated is often easier to reason about for security and troubleshooting because the response is tied to a specific request.
What the service provider must validate (non-negotiable)
SAML security depends heavily on the SP enforcing strict checks. At minimum, validate:
- XML signature: The assertion and/or response is signed by the IdP’s trusted certificate
- Issuer: The assertion came from the expected IdP entity ID
- Audience restriction: The assertion is intended for this SP (helps prevent token reuse elsewhere)
- Recipient / ACS URL: The response is delivered to the expected endpoint (exact match for scheme/host/path)
- Time conditions:
NotBefore/NotOnOrAfterare valid (allow minimal clock skew) - InResponseTo (especially for SP-initiated): prevents replay/unsolicited assertion acceptance
- NameID / subject mapping: maps to the correct local account (or aligns with just-in-time provisioning rules)
If you’re building or hardening a broader security program around identity, also consider how you detect downstream indicators of account misuse—understanding what an IOC is can help teams correlate suspicious SSO activity with other signals: what is an ioc.
What a SAML assertion looks like (high-level)
<saml:Assertion>
<saml:Issuer>https://idp.example.com/metadata</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
alice@example.com
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://sp.example.com/saml/acs"
NotOnOrAfter="2026-05-16T12:34:56Z" InResponseTo="_abc123"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2026-05-16T12:29:56Z" NotOnOrAfter="2026-05-16T12:34:56Z">
<saml:AudienceRestriction>
<saml:Audience>https://sp.example.com/saml/metadata</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Attribute Name="email"><saml:AttributeValue>alice@example.com</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="groups"><saml:AttributeValue>Finance</saml:AttributeValue></saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
Troubleshooting SAML with a captured SAMLResponse
When SAML breaks, most issues come down to configuration mismatch (entity IDs/URLs/certs), time drift, or attribute mapping.
A quick way to inspect a SAMLResponse:
1) Base64-decode it
2) (Optionally) pretty-print the XML
# If you copied the SAMLResponse value (base64) from a browser plugin or logs:
python3 - <<'PY'
import base64, sys
b64 = sys.stdin.read().strip()
print(base64.b64decode(b64 + "===" ).decode("utf-8", errors="replace"))
PY
What to look for in the decoded XML
Issuermatches the configured IdPAudiencematches the SP entity IDRecipientmatches the ACS URL exactly (scheme/host/path)NotOnOrAfterisn’t expired (check system time/NTP)- Required attributes (email/UPN/groups) are present and in expected formats
Common log patterns
Even if messages vary by vendor, errors often fall into these buckets:
- Signature/certificate errors
- “Signature validation failed”
- “Unable to verify SAML response signature”
- “Certificate not trusted / unknown key”
- Audience / entity ID mismatch
- “Invalid audience”
- “AudienceRestriction validation failed”
- ACS/recipient mismatch
- “Recipient mismatch”
- “Destination/ACS URL invalid”
- Time validity
- “Assertion expired”
- “NotOnOrAfter condition failed”
- User mapping
- “No user found for NameID”
- “Attribute ‘email’ missing”
Operationally, ensure you can correlate:
- User identity (email/UPN)
- SP application identifier
- Assertion ID / request ID (InResponseTo)
- Source IP / device context
- IdP authentication method (MFA vs not)
When you’ll encounter SAML in real environments
SAML shows up wherever organizations want centralized authentication and access governance without each app storing passwords.
1) Workforce SSO for SaaS
- Employees sign into apps using a corporate IdP.
- Security teams enforce MFA and conditional access in one place.
2) B2B federation
- A partner company authenticates their users with their own IdP, and your app (SP) trusts it.
- Useful for vendor portals or shared services, but requires careful scoping (audience, attributes, provisioning).
3) Legacy or enterprise web apps
- Many older enterprise systems support SAML 2.0 even if they don’t support newer protocols.
- Common in mixed on‑prem and cloud environments.
4) Access governance and lifecycle
- User attributes and group membership in SAML assertions can drive authorization decisions in the app.
- Often paired with provisioning (SCIM or app-native) to align “who can log in” with “who exists.”
Admin and security checklist (what to prioritize)
- Enforce MFA at the IdP for SAML apps, especially privileged apps
- Minimize assertion lifetime and ensure NTP/time sync everywhere
- Rotate IdP signing certificates safely
- Prefer metadata-based trust where possible
- Plan overlap periods (old + new cert) to prevent outages
- Prefer signed assertions (and signed responses); consider encryption if sensitive attributes are included
- Tight attribute release: only send required attributes; avoid oversharing groups or personal data
- Monitor SSO anomalies: unusual IPs, impossible travel, repeated failures, newly added SP integrations
If you want to extend monitoring and response beyond the IdP/SP logs, many orgs pair identity controls with managed detection and response; see what is mdr for how MDR is typically defined and used.
Recommended tools (optional, practical)
For teams that need to secure remote access while keeping authentication centralized, a business VPN can complement identity controls (especially for admin workflows and untrusted networks). If you’re evaluating options, NordVPN is available here: Check NordVPN pricing →. For password hygiene alongside SSO (e.g., break-glass accounts, non-SAML apps, and admin credentials), 1Password is available here: Try 1Password →.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
Related terms
One login session grants access to multiple apps; SAML is a common SSO mechanism for browser-based enterprise apps.
Authenticates the user and issues SAML assertions.
Consumes assertions and creates an app session.
Trust relationship between systems/organizations to accept each other’s authentication.
The signed token containing authentication info and attributes.
SP endpoint that receives the SAMLResponse.
Unique identifier for an IdP or SP in SAML metadata; mismatches commonly cause failures.
Strong authentication enforced at the IdP for SAML logins.
Provisioning standard often used alongside SAML (SAML handles login; SCIM handles user lifecycle).
More modern JSON-based standards often used for consumer and API use cases; many orgs use OIDC for new apps and SAML for legacy/enterprise SaaS.