SAML
What is SAML
SAML (Security Assertion Markup Language) is an XML-based standard protocol for securely exchanging identity authentication and authorization information between an Identity Provider (IdP) and a Service Provider (SP).
Core Terminology
| Term | English | Description |
|---|---|---|
| IdP | Identity Provider | Identity provider that provides identity authentication services, such as BambooCloud IDaaS |
| SP | Service Provider | Service provider that uses IdP identity management functions to provide specific services |
| SP-initiated SSO | SP-initiated SSO | Single sign-on initiated by the service provider |
| IdP-initiated SSO | IdP-initiated SSO | Single sign-on initiated by the identity provider |
Core Capabilities of SAML
SAML provides a security assertion mechanism:
Assertion: a declaration about user identity issued by the IdP. It uses XML format to securely express that "a certain user has passed identity authentication".
After using SAML, the SP can directly contact the IdP to authenticate users attempting to access secure content without maintaining an independent user system.
Characteristics of SAML
Designed for Web Browser SSO
SAML was born to solve SSO problems in Web browser environments. It not only simplifies login steps, but also provides a common framework for different security systems.
Enterprise-Grade Security Standard
SAML supports the following security features:
- Digital signatures: assertion information is digitally signed to prevent tampering
- Encrypted transmission: sensitive information can be encrypted during transmission
- Time window: assertions have a validity period and automatically expire
- Audience restriction: assertions can specify they are only valid for a specific SP
Wide Enterprise Application
SAML is the de facto standard for enterprise application SSO and is natively supported by many commercial applications:
Salesforce, Office 365, Google Workspace, AWS, Workday, and others all support SAML protocol access.
SAML vs OIDC
| Comparison | SAML | OIDC |
|---|---|---|
| Data format | XML | JSON |
| Transmission method | Browser form post | HTTP request |
| Best scenario | Traditional enterprise apps | Modern Web/mobile apps |
| Token size | Large (XML) | Compact (JWT) |
For modern applications, it is recommended to prioritize OIDC; for traditional enterprise Web applications, SAML remains a reliable choice.
SAML Diagram
