Glossary>SAML 2.0

SAML 2.0

An XML-based open standard for exchanging authentication and authorization data between an Identity Provider (IdP) and Service Provider (SP) using assertions.

OASIS Standard (2005)Enterprise SSO StandardSupported by Salesforce, Azure AD, Okta

What is SAML 2.0?

SAML 2.0 (Security Assertion Markup Language) is an XML-based open standard for exchanging authentication and authorization data between two parties: the Identity Provider (IdP) and the Service Provider (SP).

SAML uses assertions (XML documents) to pass identity information:

  • Authentication Assertion: Confirms the user has authenticated
  • Attribute Assertion: Provides user attributes (email, name, roles)
  • Authorization Assertion: Specifies what the user is allowed to do

SAML 2.0 is widely used in enterprise SSO scenarios, allowing employees to log in once at their corporate IdP (Okta, Azure AD) and access multiple applications (Salesforce, Workday, Slack) without re-authenticating.

Analogy

Think of SAML like a hotel key card system. The front desk (Identity Provider) verifies your ID and gives you a key card (assertion). You then use that key card to access your room, gym, and pool (Service Providers) without showing your ID again at each place.

Types and Use Cases

  • Enterprise SSO: Employees log in once via Okta/Azure AD and access Salesforce, Workday, Slack
  • B2B Portals: Partners use their corporate credentials to access vendor portals via SAML
  • Cloud Applications: SaaS apps (Concur, ServiceNow) integrate with corporate IdP via SAML
  • Higher Education: Universities use SAML for Single Sign-On across campus systems

How it Works

1
User attempts to access Service Provider (e.g., Salesforce)
2
SP redirects user to Identity Provider (e.g., Okta) with SAML AuthnRequest
3
User authenticates with IdP (username/password, MFA)
4
IdP generates SAML Assertion (XML) and posts it back to SP via browser
5
SP validates the SAML assertion signature and logs user in
terminal
<!-- SAML Assertion Example -->
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                 ID="_8e8dc5f69a98cc4c1ff3421e5ce34605"
                 IssueInstant="2023-01-15T12:00:00Z"
                 Version="2.0">
  <saml:Issuer>https://idp.example.com</saml:Issuer>
  <saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
      user@company.com
    </saml:NameID>
  </saml:Subject>
  <saml:AttributeStatement>
    <saml:Attribute Name="email">
      <saml:AttributeValue>user@company.com</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="firstName">
      <saml:AttributeValue>John</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>

SAML 2.0 vs OpenID Connect (OIDC)

SAML 2.0
OpenID Connect (OIDC)

SAML 2.0 uses XML and POST bindings

OIDC uses JSON and REST APIs (modern, simpler)

SAML is enterprise-focused (older, complex)

OIDC is consumer + enterprise (newer, simpler)

SAML works via browser redirects/POST

OIDC works via authorization code flow (more flexible)

Best Practices for SAML 2.0

  • Validate signatures: Always verify the SAML assertion signature using the IdP's public certificate
  • Check timestamps: Validate NotBefore and NotOnOrAfter to prevent replay attacks
  • Use HTTPS only: SAML assertions travel via browser - always use HTTPS to prevent interception

How LoginRadius Powers SAML 2.0

LoginRadius CIAM platform provides comprehensive SAML 2.0 support. As a Service Provider, LoginRadius can connect to your enterprise IdP (Okta, Azure AD, Ping) via SAML for employee authentication. As an Identity Provider, LoginRadius can issue SAML assertions for your customers to access third-party SaaS applications. Our platform handles SAML metadata, certificate management, assertion signing/validation, and supports both IdP-initiated and SP-initiated flows. LoginRadius also provides SAML test tools and detailed SAML logs for troubleshooting.

Resources

Documentation

View Authentication Docs

Blog

SAML Provider

FAQs

Yes, SAML 2.0 is still widely used in enterprise environments. Many established enterprises have SAML integrations with vendors (Salesforce, Workday, etc.) that they don't want to replace. However, new implementations typically choose OIDC because: (1) JSON is easier than XML, (2) Better mobile support, (3) Simpler implementation. Many organizations support both SAML and OIDC.

Identity Provider (IdP) is the system that authenticates the user and issues SAML assertions (e.g., Okta, Azure AD, LoginRadius). Service Provider (SP) is the application that consumes the SAML assertion to log the user in (e.g., Salesforce, Workday, Slack). The IdP 'proves who you are', the SP 'grants you access to the app'.

LoginRadius supports SAML 2.0 in two ways: (1) As a Service Provider (SP) - connect to your corporate IdP (Okta, Azure AD) via SAML for employee SSO, (2) As an Identity Provider (IdP) - allow your customers to use LoginRadius as their IdP to access third-party apps via SAML. LoginRadius provides SAML metadata endpoints, certificate management, and supports both IdP-initiated and SP-initiated flows.

Related Terms

identity provider idpservice provider spsso

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!
Free Trial
Contact Sales