SAML

Security Assertion Markup Language (SAML) 2.0 is an XML-based framework for exchanging authentication and authorization information between parties, primarily between an identity provider (IdP) and a service provider (SP). SAML uses XML assertions -- signed documents that contain statements about a user's identity, attributes, and authentication status. It is the dominant SSO protocol in enterprise environments, supported by identity providers like Okta, Azure AD, OneLogin, and ADFS.

The SAML Web Browser SSO profile defines the most common flow: the user accesses the SP, which generates an AuthnRequest and redirects the user's browser to the IdP. The IdP authenticates the user (or recognizes an existing session), constructs a SAML Response containing one or more Assertions with identity claims, signs it with the IdP's private key, and POSTs it back to the SP's Assertion Consumer Service (ACS) URL. The SP validates the signature, checks conditions (audience, time validity, recipient), extracts the NameID and attributes, and establishes a local session.

SAML security is paramount -- XML signature wrapping attacks, assertion replay, and improper validation are common vulnerabilities. Always validate the entire XML signature chain (not just check for presence), verify that the signed element is the one you process (prevent wrapping attacks), check InResponseTo matches the original request ID, enforce time constraints with clock skew tolerance, and validate the Destination and Audience restriction. Use well-maintained libraries rather than implementing SAML parsing from scratch. SAML's verbosity and complexity compared to OIDC mean it is gradually being replaced for new applications, but remains essential for enterprise integration.