securitynetwork-plusBeginner23 min read

What Is Security Assertion Markup Language? Security Definition

Also known as: Security Assertion Markup Language, SAML definition, SAML vs OAuth, SAML SSO, SAML Security+

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Security Assertion Markup Language is a way for one system to tell another system who a user is and what they are allowed to do, without the second system needing to store the user's password. Think of it like a digital ID card that a security guard checks before letting you into a building. The guard trusts the card because it was issued by a trusted office. SAML lets different websites and apps trust each other about user identities.

Must Know for Exams

SAML appears in both the CompTIA Security+ and CompTIA Network+ certification exams, though the depth of coverage differs. For Security+, SAML is covered under Exam Objective 3.7, which deals with secure authentication and authorisation protocols. Candidates are expected to understand SAML as a federation protocol that enables single sign-on (SSO) across multiple systems. The exam typically tests the difference between SAML, OAuth, and OpenID Connect, and may ask scenario-based questions about which protocol to use in a given situation.

For Network+, SAML appears under Objective 2.4, which covers authentication methods and identity management. The focus is on understanding that SAML operates at the application layer (Layer 7) of the OSI model and that it uses XML for data exchange. Network+ questions might ask about the role of the identity provider and service provider, or about the security considerations of transmitting SAML assertions over a network.

In both exams, you do not need to memorise the XML structure or specific configuration steps. Instead, you need to know the core concepts: that SAML provides SSO, that it uses digital signatures for integrity, that it involves an IdP and an SP, and that it is a standard for identity federation. Exam questions often present a scenario where a company wants users to log in once and access multiple cloud applications. You must identify SAML as the appropriate protocol. Another common question type asks you to compare SAML with OAuth, where the key difference is that SAML is primarily for authentication (who you are) while OAuth is for authorisation (what you can do), though in practice there is overlap.

Some questions may test your understanding of SAML security features. For example, you might be asked how SAML prevents replay attacks. The answer is that SAML assertions include timestamps and a NotBefore/NotOnOrAfter validity window, and the SP checks these timestamps. You might also be asked about the importance of exchanging certificates between IdP and SP to establish trust.

Simple Meaning

Imagine you work for a company that uses many different online services, like an email system, a project management tool, and a payroll website. Without SAML, you would need a separate username and password for each of those services. You would have to log in to each one individually, and each service would need to store your password securely.

SAML changes this by creating a single login point, often called an identity provider. When you log in to the identity provider (for example, your company's main login portal), that provider creates a special digital document called a SAML assertion. This assertion is like a digital ID card that contains your name, a timestamp, and what systems you are allowed to access. When you then try to use the project management tool, that tool asks the identity provider for this digital ID card. The identity provider gives it to the project management tool, which checks the card's signature to make sure it is genuine. If everything is valid, you are allowed into the project management tool without needing to log in again.

This is called single sign-on, or SSO. SAML is one of the main technologies that makes SSO work across different companies and services on the internet. It uses XML (a structured text format) to write the digital ID cards, and it uses digital signatures and sometimes encryption to keep the information secure. The identity provider and the service provider agree on how to exchange these assertions ahead of time, so that trust is established before any login happens.

Full Technical Definition

SAML is an XML-based open standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). It is defined by the OASIS Security Services Technical Committee and is currently at version 2.0, which is the most widely adopted version. The core concept is that the IdP authenticates the user and produces a SAML assertion, which is an XML document that contains statements about the user's identity, attributes, and permissions.

The SAML assertion comes in three main types: authentication statements (confirming the user logged in), attribute statements (providing details like email or role), and authorization decision statements (granting or denying access to a resource). The assertion is digitally signed using XML Signature, which ensures the SP can verify that the assertion really came from the trusted IdP and was not tampered with. Optionally, the assertion can also be encrypted using XML Encryption to protect sensitive data in transit.

SAML supports several different communication flows, called bindings. The most common is the Web Browser SSO Profile, where the user's browser is used to relay the assertion. In this flow, the user first attempts to access a resource at the SP. The SP redirects the user to the IdP with an authentication request. The user authenticates at the IdP (for example, by entering a password and a second factor). The IdP then generates a SAML assertion and sends it back to the user's browser, often via an HTTP POST form or a redirect. The browser forwards the assertion to the SP, which validates the signature, checks the timestamps, and grants access.

Other bindings include the Artifact Resolution profile (which uses a short reference called an artifact instead of the full assertion) and the Single Logout profile (which allows a user to sign out of all services at once). SAML also defines metadata documents that IdPs and SPs exchange to configure trust, including certificates, endpoints, and supported bindings. In real-world IT environments, SAML is implemented in products like Microsoft Active Directory Federation Services, Okta, Ping Identity, and many cloud-based applications. Configuration involves setting up a trust relationship between the IdP and SP by exchanging metadata and certificates.

Real-Life Example

Think of a large office building that has many different departments, each with its own locked door. You work for the company, but you need access to the accounting department, the IT server room, and the break room. Without a central system, you would need a separate key for each door. You would have to visit each department separately to get a key, and each department would have to verify your identity each time.

Now imagine that the company installs a central security desk in the lobby. When you arrive in the morning, you show your company ID badge to the security guard at the desk. The guard checks your identity against the company's employee database, takes your photo, and issues you a special electronic badge that contains a chip. This badge is your SAML assertion. The chip stores your name, your employee ID, and a list of doors you are allowed to open. The badge is digitally signed with the security desk's secret key, so no one can forge it.

When you walk to the accounting department's door, you tap your badge on the reader. The reader (the service provider) reads the chip, sees the security desk's signature, and trusts that the badge is valid because it was issued by the central desk. The reader checks the badge's list of permissions and sees that you are allowed to enter accounting. The door unlocks. You do not need to log in again because the badge already proves who you are. If the security desk later updates your permissions (for example, granting you access to the IT server room), you do not need a new badge; your existing badge can be reissued with updated permissions the next time you visit the desk. This mirrors how SAML works: the IdP issues an assertion, the SP trusts it because of the digital signature, and the user does not need separate credentials for each service.

Why This Term Matters

SAML matters in real IT work because it solves a fundamental problem: how to manage user identities across many different systems without requiring users to remember dozens of passwords. In a typical enterprise, employees use email, customer relationship management software, human resources systems, file storage, and dozens of other applications. Without SAML, IT administrators would have to create and manage user accounts in every single system. When an employee leaves, they would need to be removed from every system individually, which is time-consuming and error-prone.

With SAML, the identity provider becomes a single point of control. When a new employee is hired, the IT team creates one account in the IdP. That employee can then access all SAML-enabled applications with a single login. When an employee leaves, disabling the account in the IdP immediately blocks access to all connected services. This dramatically reduces administrative overhead and improves security by eliminating orphaned accounts.

In cybersecurity, SAML helps prevent password fatigue and reduces the risk of phishing. Users do not need to type their passwords into every application; they only authenticate at the IdP. This means that even if a service provider's login page is compromised, the attacker cannot steal the user's password because the password is never sent to the SP. SAML also supports multi-factor authentication at the IdP level, so administrators can enforce MFA once and it applies to all connected services.

In cloud infrastructure and system administration, SAML is used to federate identities between organisations. For example, a company using Amazon Web Services (AWS) can configure SAML so that employees log in with their corporate credentials instead of creating separate IAM users. This is called identity federation. It allows organisations to maintain control over user identities while giving employees access to external cloud resources. SAML is also widely used in higher education (such as the InCommon federation) and government systems, where different agencies need to share access to resources without managing separate accounts.

How It Appears in Exam Questions

In certification exams, SAML appears in several question formats. The most common is the scenario question. For example: A company has 500 employees who use a cloud-based customer relationship management tool and an email system. The company wants employees to log in once with their corporate credentials and have access to both systems without re-entering passwords. Which technology should the administrator implement? The correct answer is SAML, often with the explanation that it enables single sign-on.

Another common question type is the compare-and-contrast question. For instance: Which of the following is a key difference between SAML and OAuth? The answer might be that SAML is primarily for authentication while OAuth is for authorisation, or that SAML uses XML while OAuth uses JSON.

Architecture questions ask you to identify the components. A typical question might show a diagram where a user browser, an identity provider, and a service provider are connected with arrows. The question may ask: In this SAML SSO flow, what is the role of the identity provider? The answer is that the IdP authenticates the user and issues a SAML assertion.

Troubleshooting questions are less common but can appear. For example: Users report that they cannot access a cloud application after the IT team replaced the SAML identity provider's certificate. What is the most likely cause? The answer is that the service provider still has the old certificate and cannot validate the new SAML assertion's signature.

Some questions test knowledge of SAML bindings. For example: In which SAML binding does the user's browser send the assertion to the service provider using an HTML form? The answer is the HTTP POST binding.

Finally, security-focused questions might ask about SAML vulnerabilities. For example: An attacker intercepts a SAML assertion and attempts to reuse it to gain access. What SAML feature prevents this? The answer is the timestamp and the NotOnOrAfter attribute, which limits the assertion's validity window. Other questions might mention XML signature wrapping attacks or the importance of validating the entire assertion, not just the signature.

Practise Security Assertion Markup Language Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A medium-sized company called GreenLeaf Technologies uses two main cloud services: a sales tool called SalesPro and a document storage service called DocVault. Both services support SAML. The IT administrator sets up Microsoft Azure Active Directory as the identity provider.

When a new sales representative named Maria joins the company, the IT administrator creates her account in Azure AD. Maria does not receive separate credentials for SalesPro or DocVault. The first day on the job, Maria opens her web browser and navigates to the company's internal portal, which redirects her to Azure AD's login page. She enters her company email and password, and then completes a multi-factor authentication prompt on her phone. Azure AD authenticates her successfully.

Now, when Maria clicks the link to open SalesPro, her browser is redirected to Azure AD, which generates a SAML assertion containing Maria's username, her role (sales representative), and a digital signature. Azure AD sends this assertion back to Maria's browser, which forwards it to SalesPro. SalesPro validates the signature using a certificate it received from Azure AD during setup, checks that the assertion is within its valid time window, and reads Maria's role. SalesPro creates a session for Maria and logs her in. She never typed a password into SalesPro.

Later that day, Maria uses a different browser tab for DocVault. The same process happens, but since Maria is already authenticated with Azure AD (her session is still active), the assertion is generated without her needing to re-enter her password. This is the single sign-on experience. If Maria ever leaves the company, the IT administrator disables her Azure AD account. The next time someone tries to use those credentials, no SAML assertion is issued, and access to both SalesPro and DocVault is cut off immediately.

Common Mistakes

Thinking that SAML is the same as single sign-on (SSO).

SAML is a protocol that enables SSO, but SSO is the concept or feature. There are other ways to achieve SSO, such as using Kerberos or OpenID Connect. SAML is one specific implementation, not the concept itself.

Remember: SAML is a tool used to build SSO. SSO is the result, not the protocol.

Believing that SAML assertions are always encrypted by default.

SAML assertions are digitally signed by default to ensure integrity and authenticity, but encryption is optional. Many implementations sign but do not encrypt the assertion, which can expose user data if the network is not secured.

Know that SAML assertions are signed by default, not encrypted. Encryption is an additional configuration for sensitive data.

Confusing SAML with OAuth or OpenID Connect, thinking they do the same thing.

While all three deal with identity and access, they have different purposes and structures. SAML is for enterprise SSO and uses XML. OAuth is for delegated authorisation (like letting an app post to your social media) and uses JSON. OpenID Connect is an authentication layer built on top of OAuth.

SAML is for authentication and authorisation in enterprise SSO. OAuth is for giving apps permission without sharing your password. OpenID Connect is for checking identity using OAuth.

Assuming SAML assertions can be shared between different service providers indefinitely.

SAML assertions have strict time limits defined by the NotBefore and NotOnOrAfter attributes. Once the time window expires, the assertion is invalid. Additionally, assertions are typically tied to a specific service provider (the intended audience), so using it with a different SP will fail.

Each SAML assertion is valid only for a short time and only for the specific service provider it was created for.

Thinking that the identity provider must always be on the same network as the service provider.

SAML is designed to work across different networks and even across organisations. The IdP and SP only need to exchange metadata and certificates beforehand. They do not need direct network connectivity because the user's browser relays the assertions.

SAML works over the internet. The IdP and SP can be in completely different data centres or even different companies.

Exam Trap — Don't Get Fooled

A question describes a scenario where a user logs into an application using their social media account (like Google or Facebook). The question asks which protocol is being used. A learner might answer SAML because they know SAML is for SSO.

Remember that social media login (sign in with Google, Facebook, or Apple) typically uses OAuth 2.0 or OpenID Connect, not SAML. SAML is used in enterprise and education environments where organisations control the identity provider.

If the scenario involves a consumer service and a big tech company as the identity source, it is likely OAuth/OpenID Connect, not SAML.

Commonly Confused With

Security Assertion Markup LanguagevsOAuth 2.0

OAuth 2.0 is an authorisation framework that allows an application to access resources on behalf of a user without sharing the user's password. SAML is an authentication protocol that confirms who the user is and often includes authorisation. OAuth uses tokens (usually JSON Web Tokens) while SAML uses XML assertions. OAuth is more common for APIs and mobile apps, while SAML is common for enterprise web SSO.

When you click 'Sign in with Google' on a website, the website uses OAuth 2.0 to get permission to see your profile. In contrast, when you log into your company's HR portal using your corporate single sign-on, that likely uses SAML.

Security Assertion Markup LanguagevsOpenID Connect

OpenID Connect is an authentication layer built on top of OAuth 2.0. It does essentially the same job as SAML (providing user identity and SSO) but uses modern web technologies like JSON and REST. SAML is older and uses XML. OpenID Connect is more common for modern web and mobile applications, while SAML is still widely used in legacy enterprise systems and government.

A new mobile banking app might use OpenID Connect for user login. A university's student portal that has been running for 15 years likely uses SAML.

Security Assertion Markup LanguagevsKerberos

Kerberos is a network authentication protocol that uses tickets and a trusted third party called a Key Distribution Center (KDC). It is designed for internal networks (like a corporate LAN) and does not work well across the internet because it requires time synchronisation and trust between all systems. SAML is designed for cross-domain and internet-based SSO. Kerberos is commonly used with Active Directory in Windows environments.

Logging into your work computer on the office network often uses Kerberos behind the scenes. Accessing a cloud-based application from home using the same corporate credentials would more likely use SAML.

Step-by-Step Breakdown

1

User requests a resource

The user opens their browser and tries to access a protected resource at the service provider (SP), such as a cloud application. The SP does not know who the user is yet, so it needs to authenticate them.

2

SP redirects user to the identity provider

The SP generates a SAML authentication request and redirects the user's browser to the identity provider (IdP). This request includes the SP's identity and the desired destination. The user's browser follows the redirect to the IdP's login page.

3

User authenticates at the IdP

The IdP presents a login page to the user. The user provides their credentials (username and password, and optionally a second factor like a code from an authenticator app). The IdP verifies the credentials and establishes a session for the user.

4

IdP generates a SAML assertion

After successful authentication, the IdP creates an XML document called a SAML assertion. This assertion contains the user's identity (like username or email), attributes (like role or department), and the time window during which the assertion is valid. The IdP signs the assertion with its private key to ensure authenticity.

5

Assertion is sent to the SP via the user's browser

The IdP sends the SAML assertion back to the user's browser, often embedded in an HTML form that automatically submits to the SP. The browser forwards the assertion to the SP's endpoint. The user never sees the raw XML.

6

SP validates the assertion

The SP receives the assertion and performs several checks. It validates the digital signature using the IdP's public key (which it received during setup). It checks that the assertion is within its valid time window. It also verifies that the assertion is intended for this specific SP (audience restriction).

7

SP grants or denies access

If all checks pass, the SP creates a local session for the user and grants access to the protected resource. The user is now logged in without ever having entered a password at the SP. If any check fails (bad signature, expired assertion, wrong audience), access is denied.

Practical Mini-Lesson

SAML is a cornerstone of identity federation in enterprise IT. When you work as a system administrator or security professional, you will encounter SAML in the context of configuring single sign-on for cloud applications. The key practical skill is understanding how to set up a trust relationship between an identity provider (IdP) and a service provider (SP).

First, you need to choose an IdP. Common choices include Microsoft Entra ID (formerly Azure AD), Okta, Ping Identity, or even open-source solutions like Keycloak. The IdP is the central authentication server. You also need to identify the SPs, which are the applications your users need to access, such as Salesforce, Workday, or AWS.

To configure SAML, you exchange metadata between the IdP and SP. Metadata is an XML document that contains information like the IdP's public certificate, its SSO endpoint URL, and the supported bindings. The SP also provides its own metadata, including its assertion consumer service (ACS) URL, which is the endpoint where it expects to receive SAML assertions. You import the IdP metadata into the SP, and sometimes import SP metadata into the IdP. This establishes mutual trust.

One common issue in practice is certificate expiration. The IdP signs assertions with a certificate that has an expiry date. If the certificate expires and the SP still has the old certificate, all SSO attempts will fail because the signature validation will fail. Administrators must rotate certificates before they expire and update the SP with the new certificate. Some modern IdPs allow automatic metadata refresh to handle this.

Another practical consideration is attribute mapping. The IdP sends attributes (like email, role, or department) as part of the SAML assertion. The SP needs to map these attributes to its own user fields. For example, the IdP might send an attribute called 'mail' but the SP expects 'email'. If the mapping is wrong, users may authenticate but then see errors or be denied access.

Security professionals must also be aware of SAML vulnerabilities. One known issue is the XML signature wrapping attack, where an attacker manipulates the XML structure so that the SP validates the signature on a legitimate part of the document but uses a different part for authorization decisions. Proper validation involves checking that the signed element truly corresponds to the assertion being processed. Other best practices include using short assertion lifetimes (typically 5-15 minutes), requiring SSL/TLS for all SAML endpoints, and implementing single logout so that terminating a session at the IdP also ends sessions at all SPs.

SAML connects to broader IT concepts like identity and access management (IAM), federation, and zero trust architectures. In a zero trust model, SAML helps ensure that users are authenticated and authorised before accessing any resource, even if they are on the corporate network. Understanding SAML is also a stepping stone to learning about modern alternatives like OpenID Connect, which build on similar concepts but use lighter-weight formats.

Memory Tip

Remember SAML as 'Sign At My Login' — the user signs in at the identity provider, and then the assertion is sent to the service provider. This helps you recall that authentication happens only at the IdP, and the SP trusts that result.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Is SAML the same as single sign-on?

No. SAML is a protocol that enables single sign-on (SSO). SSO is the broader concept where a user logs in once and gains access to multiple systems without re-authenticating. SAML is one way to implement SSO, but there are other methods like Kerberos or OpenID Connect.

Does SAML require users to share their passwords with every application?

No. In SAML, the user only shares their password with the identity provider. The service provider never sees the user's password. Instead, it receives a digitally signed assertion that proves the user is authenticated.

Can SAML be used for mobile apps?

Yes, but it is less common. SAML was designed for web browser-based interactions. For mobile apps, OpenID Connect is often preferred because it uses lighter-weight JSON tokens and works better with native app user interfaces.

What happens if the SAML assertion expires while I am using an application?

The application typically maintains its own session for you after the initial login. The SAML assertion is only used during the initial authentication. Your session in the application will continue until it times out or you log out, regardless of the assertion's expiry.

How does SAML prevent someone from forging an assertion?

SAML assertions are digitally signed by the identity provider using its private key. The service provider has the corresponding public key and uses it to verify the signature. If the signature does not match, the assertion is rejected. This prevents forgery and tampering.

Is SAML still relevant with newer protocols like OAuth and OpenID Connect?

Yes, SAML is still widely used, especially in large enterprises, government, and education sectors. Many legacy applications and cloud services only support SAML for SSO. However, newer applications increasingly support OpenID Connect, so IT professionals should understand both.

What does federation mean in the context of SAML?

Federation refers to the trust relationship established between different organisations or systems. With SAML, an organisation can allow its users to access resources in another organisation's systems without creating separate accounts. For example, a company can federate with a cloud provider so employees can use corporate credentials to access the cloud console.

Summary

Security Assertion Markup Language (SAML) is an open standard that enables single sign-on (SSO) by allowing an identity provider to send authentication and authorisation information to a service provider using XML documents called assertions. SAML works by having users authenticate once at the identity provider, which then generates a digitally signed assertion that the service provider can validate and trust. This eliminates the need for multiple passwords and reduces administrative overhead.

In certification exams for CompTIA Security+ and Network+, you need to understand the roles of the identity provider and service provider, the fact that SAML uses XML and digital signatures, and how it differs from similar protocols like OAuth and OpenID Connect. Common exam traps include confusing SAML with social login protocols or assuming that assertions are always encrypted. Remember that SAML is an enterprise-focused, browser-based SSO protocol that relies on a trust relationship established through certificate exchange.

Mastering SAML will help you understand identity federation, a critical component of modern IT security and cloud infrastructure.