What is SAML (Security Assertion Markup Language)?
Turkish: SAML
SAML carries signed XML authentication assertions between an identity provider and a service provider, commonly for enterprise SSO.
What is SAML?
SAML (Security Assertion Markup Language) is an XML-based standard for carrying authentication information in enterprise single sign-on flows. When a user tries to access an application, that application can redirect the user to the company’s identity provider for login.
SAML is common in B2B SaaS products that integrate with enterprise identity providers such as Microsoft Entra ID, Okta, and OneLogin.
How Does it Work?
A SAML flow has two main roles:
- Identity Provider (IdP): The system that authenticates the user
- Service Provider (SP): The application the user wants to access
When the user opens the SP, the SP creates a SAML request and redirects the browser to the IdP. The IdP authenticates the user, creates a signed SAML assertion, and sends it back through the browser. The SP checks the signature, audience, time window, and user attributes before creating a session.
Business Use
Enterprise customers often require SSO so employees can access SaaS applications without managing separate usernames and passwords. SAML lets onboarding and offboarding follow the central identity system.
SAML is not the same as OAuth2. OAuth2 is mostly used for authorization and API access, while SAML is widely used for enterprise authentication through XML assertions. Certificate rotation, clock skew, metadata URLs, and attribute mapping are common production details that need careful handling.