SAML, the Security Assertion Markup Language, is an XML-based standard for exchanging authentication and authorization information between security domains. It lets one system vouch for a user to another: an identity provider asserts that a user has been authenticated, and a service provider accepts that assertion instead of authenticating the user itself. SAML 2.0 was approved as an OASIS Standard on March 1, 2005, by the OASIS Security Services Technical Committee.
The core specification, “Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0,” defines the syntax and semantics for XML-encoded assertions about authentication, attributes, and authorization, together with the protocols that convey this information. An assertion is the central data structure: a signed XML statement, issued by an identity provider, that makes claims about a subject, such as that the subject authenticated at a particular time by a particular method, or that the subject has certain attributes.
SAML separates the parties into roles familiar in federated identity: the identity provider that authenticates users and issues assertions, and the service provider (or relying party) that consumes them. Trust between the two rests on XML digital signatures, so a service provider can verify that an assertion genuinely came from the expected identity provider and was not altered in transit. The standard also defines bindings that map its messages onto transport protocols such as HTTP.
The most influential application of SAML is web browser single sign-on. A user attempts to reach a service provider, is redirected to their identity provider to authenticate, and is then redirected back carrying a SAML assertion that logs them in, all without the service provider ever seeing a password. This made SAML the dominant mechanism for connecting employees to enterprise software-as-a-service applications.
SAML’s XML messages and signatures are heavier than the JSON-and-JWT design that later protocols favored. OpenID Connect, built on OAuth 2.0, became the preferred choice for new consumer and mobile applications, while SAML 2.0 remained deeply entrenched in enterprise environments, where its long deployment history and broad vendor support kept it in everyday use.