Skip to content

SAML

What is SAML

SAML (Security Assertion Markup Language) is an XML-based standard protocol for securely exchanging identity authentication and authorization information between an Identity Provider (IdP) and a Service Provider (SP).

Core Terminology

TermEnglishDescription
IdPIdentity ProviderIdentity provider that provides identity authentication services, such as BambooCloud IDaaS
SPService ProviderService provider that uses IdP identity management functions to provide specific services
SP-initiated SSOSP-initiated SSOSingle sign-on initiated by the service provider
IdP-initiated SSOIdP-initiated SSOSingle sign-on initiated by the identity provider

Core Capabilities of SAML

SAML provides a security assertion mechanism:

Assertion: a declaration about user identity issued by the IdP. It uses XML format to securely express that "a certain user has passed identity authentication".

After using SAML, the SP can directly contact the IdP to authenticate users attempting to access secure content without maintaining an independent user system.

Characteristics of SAML

Designed for Web Browser SSO

SAML was born to solve SSO problems in Web browser environments. It not only simplifies login steps, but also provides a common framework for different security systems.

Enterprise-Grade Security Standard

SAML supports the following security features:

  • Digital signatures: assertion information is digitally signed to prevent tampering
  • Encrypted transmission: sensitive information can be encrypted during transmission
  • Time window: assertions have a validity period and automatically expire
  • Audience restriction: assertions can specify they are only valid for a specific SP

Wide Enterprise Application

SAML is the de facto standard for enterprise application SSO and is natively supported by many commercial applications:

Salesforce, Office 365, Google Workspace, AWS, Workday, and others all support SAML protocol access.

SAML vs OIDC

ComparisonSAMLOIDC
Data formatXMLJSON
Transmission methodBrowser form postHTTP request
Best scenarioTraditional enterprise appsModern Web/mobile apps
Token sizeLarge (XML)Compact (JWT)

For modern applications, it is recommended to prioritize OIDC; for traditional enterprise Web applications, SAML remains a reliable choice.

SAML Diagram

SAML Flow

BambooCloud IDaaS Open Platform