SAML 2.0
An XML-based federation standard for exchanging authentication and authorization assertions between an identity provider and a service provider, dominant in enterprise SSO.
Security Assertion Markup Language (SAML) 2.0 is a protocol for exchanging authentication and authorization data between parties, primarily used in enterprise single sign-on. The flow involves three actors: the Principal (user), the Identity Provider (IdP, e.g., Okta, ADFS), and the Service Provider (SP, the application). The user authenticates at the IdP, which generates a signed XML assertion containing identity and attribute claims. The SP validates the assertion's signature, checks conditions (audience, time), and creates a local session. SAML uses XML digital signatures and operates over HTTP POST or Redirect bindings.
Security Model
SAML security relies on XML digital signatures to ensure assertion integrity and authenticity. Trust is established through pre-exchanged metadata containing signing certificates. Security depends on correct XML signature validation (resistant to wrapping attacks), audience restriction enforcement, time condition checking, and replay prevention via assertion ID tracking. The IdP's signing key is the root of trust.
Implementation
high complexityUser Experience
Similar to OIDC -- users are redirected to their corporate login page, authenticate (possibly with MFA), and are redirected back to the application. The redirect flow is slightly slower than OIDC due to larger payloads. Users benefit from SSO across all enterprise applications configured with the same IdP.
Platform Examples
Okta
Supports both IdP and SP roles. Provides a catalog of pre-configured SAML integrations for thousands of SaaS apps. Handles attribute mapping and JIT provisioning.
Microsoft ADFS
On-premises SAML IdP for Active Directory. Widely deployed in enterprises. Supports claims rules for attribute transformation and conditional access.
Salesforce
Supports SAML as both IdP and SP. Enterprise customers configure SSO via SAML to their corporate IdP. Supports encrypted assertions and JIT user provisioning.
AWS IAM
Supports SAML federation for console access and API credentials. Users authenticate via corporate IdP and assume IAM roles based on SAML attributes.
Tradeoffs
Strengths
- Mature enterprise standard with 20 years of deployment history
- Rich assertion model with authentication context and fine-grained attributes
- Supported by all major enterprise identity providers
- Well-understood security model with established best practices
- Federation between organizations is well-defined
Weaknesses
- XML-based format is verbose, complex, and error-prone
- XML signature validation is a frequent source of security vulnerabilities
- Poor mobile support (XML parsing on mobile is heavyweight)
- Manual metadata exchange makes multi-tenant configuration cumbersome
- Single Logout is unreliable in practice
- Steep learning curve compared to OIDC
Likely Follow-Up Questions
- How does SAML compare to OIDC? When would you choose one over the other?
- Explain the SAML assertion structure and what each section contains.
- What are XML signature wrapping attacks and how do you prevent them?
- How would you implement enterprise SSO for a multi-tenant SaaS application?
- What challenges arise when migrating from SAML to OIDC?
- How does Single Logout work in SAML and why is it unreliable?
Related Auth Methods
Source: editorial — SAML 2.0 deep dive covering enterprise SSO, XML signature security, B2B integration, and OIDC migration for interview preparation.