An XML-based open standard for exchanging authentication and authorization data between an identity provider and a service provider for single sign-on.
Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between security domains. It is the dominant protocol for enterprise single sign-on (SSO), letting a user authenticate once and access many applications without re-entering credentials.
Trust between IdP and SP is established out of band by exchanging metadata (entity IDs, endpoint URLs, and signing certificates), and assertions are carried over bindings such as HTTP POST and Redirect.
In an SP-initiated flow the user starts at the SP, which redirects to the IdP with a SAMLRequest and later correlates the reply via InResponseTo. In an IdP-initiated flow the user starts at the IdP portal and the IdP posts an unsolicited SAMLResponse to the SP with no prior request. The SP-initiated flow is preferred because the request correlation blocks replay and CSRF.
SAML security failures cluster around trusting XML that was not properly signed or not properly scoped: