APIs & Authentication

What is SAML?

Security Assertion Markup Language, an XML-based standard for exchanging authentication and authorization data between an identity provider and a service provider.

Also known as: Security Assertion Markup Language

SAML is the protocol that powers most enterprise single sign-on. The user hits a service (the SP, Service Provider), gets redirected to their company's identity provider (the IdP), authenticates there, and is bounced back to the SP carrying a signed XML "assertion" that says who they are and what groups they belong to. The SP trusts the assertion because it was signed by the IdP's certificate.

The flow is older and more verbose than OIDC, but SAML is what corporate IT departments deployed first, which means it is what every B2B SaaS has to support to land enterprise customers. "SAML SSO" is often the gating feature for a deal with any organization larger than a few hundred employees.

Implementing SAML is finicky: XML signatures, optional encryption, multiple binding types (HTTP-POST, HTTP-Redirect, Artifact), and a long tail of IdP-specific quirks. Most teams use a library (saml2-js, python3-saml, Auth0, WorkOS, JumpCloud) rather than implementing the spec themselves.

In the wild

  • A SaaS app supporting "SAML SSO" so an Okta customer's users log in with their corporate identity
  • WorkOS or Auth0 abstracting the dozens of IdP integrations behind one SDK
  • A JIT (just-in-time) provisioning flow creating an account on first SAML login based on group claims

How Brand.dev uses saml

Endpoints in the Brand.dev API where this concept comes up directly.

Company Data API

FAQ

SAML vs OIDC?

OIDC (built on OAuth 2.0) is JSON-based, lighter, and is what most consumer-facing SSO uses. SAML is XML-based, heavier, and is what enterprise IT shops standardized on a decade earlier. B2B SaaS typically supports both.

What is an IdP?

Identity Provider: the system that authenticates users (Okta, Azure AD, Google Workspace, OneLogin, JumpCloud). The SP delegates "is this person who they say they are" to the IdP.

Should I implement SAML myself?

Almost never. The XML signature canonicalization rules alone are a security minefield. Use a maintained library or a hosted provider (WorkOS, Auth0, FusionAuth).

Related terms

SSO

Single Sign-On, a session and user-authentication scheme that lets one login grant access to multiple independent applications.

OAuth

A protocol that lets users grant a third-party app limited access to their data on another service, without sharing their password.

JWT

A JSON Web Token, a compact, signed piece of JSON used to convey claims (who the user is, what they can do) between systems.

API Key

A secret string that identifies and authenticates a client when calling an API, usually passed in a header on each request.

All glossary terms

Ship an agent that actually knows things.

Free tier, 10-minute integration, and the same API powering agents at Mintlify, daily.dev, and Propane. No credit card to start.

Get API Access
Book a call