SAML Protocol: Role in Enterprise Identity Security
Security Assertion Markup Language (SAML) is an XML-based open standard that governs the exchange of authentication and authorization data between identity providers and service providers across enterprise environments. The protocol underpins a significant share of federated authentication infrastructure in US organizations, particularly in sectors subject to NIST and FISMA-aligned identity management requirements. This page describes how SAML functions as a protocol, the scenarios in which it operates, and the architectural boundaries that determine when it applies versus when alternative standards are more appropriate.
Definition and scope
SAML is defined and maintained by the Organization for the Advancement of Structured Information Standards (OASIS), which published SAML 2.0 — the version in dominant enterprise use — in March 2005. The OASIS Security Services Technical Committee maintains the normative specifications, including the SAML 2.0 core schema, bindings, and profiles documents.
Within the scope of identity and access management (IAM), SAML operates as a trust assertion format: it enables one party (the identity provider, or IdP) to assert to another party (the service provider, or SP) that a given user has been authenticated and holds specific attributes. The assertion is cryptographically signed using XML Digital Signatures, which allows the service provider to verify the assertion's integrity without maintaining a direct session connection to the identity provider.
SAML 2.0 defines three core assertion types:
- Authentication assertions — confirm that the subject authenticated to the IdP at a specific time using a specified method.
- Attribute assertions — convey named attributes about the subject (e.g., department, role, clearance level).
- Authorization decision assertions — indicate whether the subject is permitted to access a specific resource.
Federal use of SAML is addressed in NIST Special Publication 800-63C, Federation and Assertions (NIST SP 800-63C), which classifies assertion-based federation at three assurance levels and sets technical requirements for assertion strength, encryption, and replay prevention.
How it works
A standard SAML 2.0 Web Browser SSO exchange follows a structured redirect flow. The most common binding is HTTP-POST, though HTTP-Redirect and Artifact bindings are also defined by the OASIS specification.
The sequence of a SAML authentication event proceeds through five discrete phases:
- Resource request — The user's browser requests access to a protected resource at the service provider. The SP has no active session for the user.
- Authentication request (AuthnRequest) — The SP generates a signed XML AuthnRequest and redirects the browser to the IdP's single sign-on endpoint, encoding the request via the applicable SAML binding.
- Identity provider authentication — The IdP authenticates the user through its configured mechanism (password, multi-factor authentication, certificate, etc.) and evaluates applicable policy.
- Assertion issuance — The IdP constructs a signed SAML Response containing one or more assertions. The response is transmitted to the SP's Assertion Consumer Service (ACS) URL via the browser, typically as an HTTP POST with a Base64-encoded payload.
- Session establishment — The SP validates the assertion's signature, checks the audience restriction, verifies the NotOnOrAfter timestamp to prevent replay, and creates a local session for the authenticated user.
The entire exchange occurs through the user's browser as an intermediary; the IdP and SP do not communicate directly in the standard Web Browser SSO profile. This architecture is central to federated identity management across organizational boundaries, where direct back-channel communication between parties may be restricted.
Common scenarios
SAML 2.0 is most prevalent in three deployment contexts within enterprise identity infrastructure:
Enterprise single sign-on — SAML is the foundational protocol for single sign-on (SSO) across SaaS applications in corporate environments. An employee authenticates once to a corporate IdP (such as an enterprise directory connected through Active Directory Federation Services or a cloud IdP), and SAML assertions grant access to third-party applications — HR systems, collaboration platforms, ERP portals — without re-authentication.
Cross-organizational federation — Government agencies, healthcare networks, and higher education consortia use SAML to federate identity across institutional boundaries. The InCommon Federation, operated by Internet2, federates over 1,000 US higher education and research institutions using SAML 2.0 metadata exchange, enabling researchers to authenticate to partner systems with home-institution credentials.
Regulated-sector compliance authentication — In sectors subject to HIPAA, FedRAMP, and FISMA, SAML assertions carry attribute data that enforcement systems use to make access control decisions. Under FedRAMP requirements, cloud services used by federal agencies must support identity federation consistent with NIST SP 800-63 assurance levels, which SAML 2.0 can satisfy at Federation Assurance Level 2 (FAL2) when assertions are encrypted in addition to being signed.
Decision boundaries
SAML 2.0 is not universally appropriate. Its design reflects early 2000s web architecture — XML verbosity, browser-intermediated flows, and limited native mobile support — which creates meaningful friction in environments where OAuth 2.0 and OpenID Connect (OIDC) are better suited.
The critical distinctions between SAML and OAuth/OpenID Connect for identity architects:
| Dimension | SAML 2.0 | OAuth 2.0 / OIDC |
|---|---|---|
| Data format | XML | JSON / JWT |
| Primary use | Enterprise SSO, federation | API authorization, mobile auth |
| Mobile support | Limited (browser-dependent) | Native |
| Adoption era | Enterprise legacy, government | Cloud-native, consumer |
| Assertion transport | Browser POST | Token endpoint (back-channel) |
Organizations running hybrid identity environments — where on-premises systems use SAML-integrated directories and cloud-native workloads use OIDC — typically operate both protocols in parallel, with the IdP acting as a bridge.
SAML is the appropriate choice when the service provider is a SAML-only enterprise application, when regulatory profiles explicitly require SAML assertion formats, or when integrating with federation ecosystems — such as federal agency identity bridges — that mandate SAML metadata exchange. It is not appropriate as the sole protocol where zero trust identity model architectures require continuous, fine-grained token validation at the API layer, where OIDC's token refresh mechanisms and introspection endpoints provide superior operational control.
SAML vulnerabilities — including XML signature wrapping attacks and assertion replay — are documented in OASIS security advisories and addressed through implementation requirements in NIST SP 800-63C, including mandatory audience restriction validation and assertion time-bound controls. Organizations with active SAML deployments should map their configurations against identity security compliance frameworks to confirm alignment with current federal and sector-specific standards.
References
- OASIS SAML 2.0 Core Specification — Organization for the Advancement of Structured Information Standards
- NIST SP 800-63C: Federation and Assertions — National Institute of Standards and Technology
- NIST SP 800-63: Digital Identity Guidelines (Overview) — National Institute of Standards and Technology
- CISA Zero Trust Maturity Model v2.0 — Cybersecurity and Infrastructure Security Agency
- FedRAMP Authorization Boundary Guidance — General Services Administration / FedRAMP PMO
- InCommon Federation — Internet2