SAML Explained
Last Updated: January 10, 2026
If you have ever logged into a corporate application using your company's credentials, you have probably used SAML without even knowing it.
That seamless experience where you sign in once in the morning and then access Salesforce, Jira, Slack, and a dozen other tools without seeing another login screen? SAML is often the protocol making that happen behind the scenes.
SAML (Security Assertion Markup Language) has been the backbone of enterprise single sign-on (SSO) for over two decades. It first appeared in 2002, and the widely-adopted SAML 2.0 specification arrived in 2005.
While newer protocols like OpenID Connect have gained significant ground in consumer applications and modern architectures, SAML remains deeply entrenched in enterprise environments.
In this chapter, we will cover:
- What is SAML and why does it exist?
- The key players in SAML authentication
- How the SAML flow works step-by-step
- Understanding SAML Assertions
- SAML Bindings and their trade-offs
- SP-Initiated vs IdP-Initiated SSO
- Security considerations and best practices
- SAML vs OAuth 2.0 vs OpenID Connect
- Common implementation mistakes