SAML
Definition
Security Assertion Markup Language - a standard protocol for securely exchanging authentication and authorization data between identity providers and
Use Cases
- Salesforce: Enterprise single sign-on to Salesforce for employees using a corporate identity provider — Salesforce supports SAML 2.0 SSO where the customer’s IdP (commonly Microsoft Entra ID/AD FS/Okta) issues SAML assertions to Salesforce as the service provider, enabling centralized authentication and optional just-in-time user provisioning depending on the setup. (Reduces password sprawl, centralizes access control and MFA at the IdP, and simplifies onboarding/offboarding by managing access from one identity system.)
- Amazon Web Services (AWS): Workforce access to the AWS Management Console using corporate credentials — Organizations commonly configure SAML federation from a corporate IdP (such as Microsoft Entra ID or AD FS) to AWS (via IAM roles for SAML or via AWS IAM Identity Center), allowing users to sign in with corporate identity and assume role-based permissions in AWS accounts. (Improves security with centralized authentication and MFA, enforces least-privilege access through role mapping, and streamlines account access without creating long-lived IAM users for employees.)
- Microsoft: Single sign-on to thousands of SaaS applications for enterprise users — Microsoft Entra ID provides a SAML-based application gallery and custom SAML app integrations, acting as the IdP to issue SAML assertions to SaaS service providers and enabling conditional access policies and MFA at sign-in. (Enables consistent access policies across apps, reduces help-desk password reset volume, and improves user experience with one set of credentials.)
Provider Equivalents
- AWS: AWS IAM Identity Center
- Azure: Microsoft Entra ID
- GCP: Cloud Identity
- OCI: OCI IAM Identity Domains
Frequently Asked Questions
- What's the difference between SAML and OAuth 2.0?
- SAML is mainly used for single sign-on (SSO) and exchanging authentication information (who the user is) between an identity provider and an application, typically in enterprise web SSO. OAuth 2.0 is mainly used for authorization (what an app is allowed to do) by granting access tokens to call APIs. In practice, SAML is common for workforce SSO to SaaS apps, while OAuth 2.0 (often with OpenID Connect) is common for modern app sign-in and API access.
- When should I use SAML for SSO?
- Use SAML when you need enterprise-grade SSO between a central identity provider (like Entra ID, AD FS, Okta, Ping) and a web-based service provider that supports SAML—especially for workforce access to SaaS apps and partner applications. It’s a strong fit when you want centralized MFA and access policies at the IdP, role/group-based access mapping, and you’re integrating with established enterprise software that already supports SAML 2.0.
- How much does SAML cost?
- SAML itself is a free open standard—there’s no licensing fee to use the protocol. Costs come from the products and services you use to implement it (your identity provider, any SSO platform, and possibly premium features like conditional access, advanced MFA, or identity governance). Some SaaS apps include SAML SSO only in higher-tier plans, and some IdPs charge per user or per feature.
Category: security
Difficulty: advanced
Related Terms
See Also