This is the Trace Id: 5e1349ddfd7a62fa35b86f71de4e6b95
Skip to main content Why Microsoft Security AI-powered cybersecurity Cloud security Data security & governance Identity & network access Privacy & risk management Security for AI Unified SecOps Zero Trust Microsoft Defender Microsoft Entra Microsoft Intune Microsoft Priva Microsoft Purview Microsoft Sentinel Microsoft Security Copilot Microsoft Entra ID (Azure Active Directory) Microsoft Entra Agent ID Microsoft Entra External ID Microsoft Entra ID Governance Microsoft Entra ID Protection Microsoft Entra Internet Access Microsoft Entra Private Access Microsoft Entra Permissions Management Microsoft Entra Verified ID Microsoft Entra Workload ID Microsoft Entra Domain Services Azure Key Vault Microsoft Sentinel Microsoft Defender for Cloud Microsoft Defender XDR Microsoft Defender for Endpoint Microsoft Defender for Office 365 Microsoft Defender for Identity Microsoft Defender for Cloud Apps Microsoft Security Exposure Management Microsoft Defender Vulnerability Management Microsoft Defender Threat Intelligence Microsoft Defender Suite for Business Premium Microsoft Defender for Cloud Microsoft Defender Cloud Security Posture Mgmt Microsoft Defender External Attack Surface Management GitHub Advanced Security Microsoft Defender for Endpoint Microsoft Defender XDR Microsoft Defender for Business Microsoft Intune core capabilities Microsoft Defender for IoT Microsoft Defender Vulnerability Management Microsoft Intune Advanced Analytics Microsoft Intune Endpoint Privilege Management Microsoft Intune Enterprise Application Management Microsoft Intune Remote Help Microsoft Cloud PKI Microsoft Purview Communication Compliance Microsoft Purview Compliance Manager Microsoft Purview Data Lifecycle Management Microsoft Purview eDiscovery Microsoft Purview Audit Microsoft Priva Risk Management Microsoft Priva Subject Rights Requests Microsoft Purview Data Governance Microsoft Purview Suite for Business Premium Microsoft Purview data security capabilities Pricing Services Partners Cybersecurity awareness Customer stories Security 101 Product trials Industry recognition Microsoft Security Insider Microsoft Digital Defense Report Security Response Center Microsoft Security Blog Microsoft Security Events Microsoft Tech Community Documentation Technical Content Library Training & certifications Compliance Program for Microsoft Cloud Microsoft Trust Center Service Trust Portal Microsoft Secure Future Initiative Business Solutions Hub Contact Sales Start free trial Microsoft Security Azure Dynamics 365 Microsoft 365 Microsoft Teams Windows 365 Microsoft AI Azure Space Mixed reality Microsoft HoloLens Microsoft Viva Quantum computing Sustainability Find a partner Become a partner Partner Network Microsoft Marketplace Marketplace Rewards Software development companies Education Automotive Financial services Government Healthcare Manufacturing Retail Blog Microsoft Advertising Developer Center Documentation Events Licensing Microsoft Learn Microsoft Research View Sitemap

What is SAML?

Learn how the industry standard protocol, security assertion markup language (SAML), strengthens security measures and improves sign-in experiences.

SAML defined

SAML is the underlying technology that allows people to sign in once using one set of credentials and access multiple applications. Identity providers, like Microsoft Entra ID, verify users when they sign in, and then use SAML to pass that authentication data to the service provider that runs the site, service, or app that the users wish to access.

What is SAML used for?

SAML helps strengthen security for businesses and simplify the sign-in process for employees, partners, and customers. Organizations use it to enable single sign-on, which allows people to use one username and password to access multiple sites, services, and apps. Decreasing the number of passwords that people must memorize is not only easier for them, but it also reduces the risk that one of those passwords will be stolen. Organizations can also set security standards for authentications across their SAML-enabled apps. For example, they can require multifactor authentication before people access the on-premises network and apps, like Salesforce, Concur, and Adobe. 

SAML helps organizations address the following use cases:

Unify identity and access management:

By managing authentication and authorization in one system, IT teams can significantly reduce the time they spend on user provisioning and identity entitlement.

Enable Zero Trust:

Zero Trust security strategy requires that organizations verify every access request and limit access to sensitive information to only the people that need it. Tech teams can use SAML to set policies, such as multifactor authentication and conditional access, to all their apps. They can also enable stricter security measures, such as forcing a password reset, when a user’s risk is elevated based on their behavior, device, or location.

Enrich the employee experience:

In addition to simplifying access for workers, IT teams can also brand sign-in pages to create a consistent experience across apps. Employees also save time with self-service experiences that let them easily reset their passwords.

What is a SAML provider?

A SAML provider is a system that shares identity authentication and authorization data with other providers. There are two types of SAML providers:

  • Identity providers authenticate and authorize users. They provide the sign-in page where people enter their credentials. They also enforce security policies, such as by requiring multifactor authentication or a password reset. Once the user is authorized, identity providers pass the data to service providers. 

  • Service providers are the apps and websites that people want to access. Instead of requiring people to sign into their apps individually, service providers configure their solutions to trust SAML authorization and rely on the identity providers to verify identities and authorize access. 

How does SAML authentication work?

In SAML authentication, service providers and identity providers share sign-in and user data to confirm that each person who requests access is authenticated. It typically follows the following steps:

  1. An employee begins work by signing in using the login page provided by the identity provider.

  2. The identity provider validates that the employee is who they say they are by confirming a combination of authentication details, such as username, password, PIN, device, or biometric data.

  3. The employee launches a service provider app, such as Microsoft Word or Workday. 

  4. The service provider communicates with the identity provider to confirm that that the employee is authorized to access that app.

  5. The identity providers send authorization and authentication back.

  6. The employee accesses the app without signing in a second time.

What is SAML assertion?

SAML assertion is the XML document containing data that confirms to the service provider that the person who is signing in has been authenticated.

There are three types:

  • Authentication assertion identifies the user and includes the time the person signed-in and the type of authentication they used, such as a password or multifactor authentication.

  • Attribution assertion passes the SAML token to the provider. This assertion includes specific data about the user.

  • An authorization decision assertion tells the service provider whether the user is authenticated or if they are denied either because of an issue with their credentials or because they don’t have permissions for that service. 

SAML vs. OAuth

Both SAML and OAuth make it easier for people to access multiple services without signing in to each one separately, but the two protocols use different technology and processes. SAML uses XML to enable people to use the same credentials to access multiple services, while OAuth passes authorization data using JWT or JavaScript Object Notation.


In OAuth, people choose to sign into a service using third-party authorization, such as their Google or Facebook accounts, rather than creating a new username or password for the service. Authorization is passed while protecting the user’s password.

The role of SAML for businesses

SAML helps businesses enable both productivity and security in their hybrid workplaces. With more people working remotely, it’s critical to empower them to easily access company resources from anywhere, but without the right security controls, easy access raises the risks of a breach. With SAML, organizations can streamline the sign-in process for employees while enforcing strong policies like multifactor authentication and conditional access across the apps their employees use.
To get started, organizations should invest in an identity provider solution, like Microsoft Entra ID. Microsoft Entra ID protects users and data with built-in security and unifies identity management into a single solution. Self-service and single sign-on make it easy and convenient for employees to stay productive. Plus, Microsoft Entra ID comes with prebuilt SAML integration with thousands of apps, such as Zoom, DocuSign, SAP Concur, Workday, and Amazon Web Services (AWS).

Learn more about Microsoft Security

Microsoft identity and access

Explore comprehensive identity and access solutions from Microsoft.

Learn more

Microsoft Entra ID

Safeguard your organization with a seamless identity solution.

Learn more

Single sign-on

Simplify access to your software as a service (SaaS) apps, cloud apps, or on-premises apps.

Learn more

Multifactor authentication

Protect your organization against breaches due to lost or stolen credentials.

Learn more

Conditional access

Enforce granular access control with real-time adaptive policies.

Learn more

Prebuilt app integrations

Use prebuilt integrations to connect your users more securely to their apps.

Learn more

Identity and access blog

Stay current with the latest thought leadership in identity and access management.

Learn more

Frequently asked questions

  • SAML includes the following components:

    • Identity service providers authenticate and authorize users. They provide the sign-in page where people enter their credentials and enforce security policies, such as requiring multifactor authentication or a password reset. Once the user is authorized, the identity providers pass the data to service providers.

    • Service providers are the apps and websites that people want to access. Instead of requiring people to sign into their apps individually, service providers configure their solutions to trust SAML authorization and rely on the identity providers to verify identities and authorize access.

    • Metadata describes how identity providers and service providers will exchange assertions, including endpoints and technology.

    • Assertion is the authentication data that confirms to the service provider that the person that is signing in has been authenticated.

    • Signing certificates establish trust between the identity provider and the service provider by confirming that the assertion wasn’t manipulated while traveling between the two providers.

    • The system clock confirms that the service provider and the identity provider have the same time to protect against replay attacks.

  • SAML offers the following benefits to organizations, their employees, and partners:

    • Enhanced user experience. SAML enables organizations to create a single sign-on experience so that employees and partners sign in once and gain access to all their apps. This makes work easier and more convenient because there are fewer passwords to memorize, and employees don’t have to sign in every time they switch tools.

    • Improved security. Fewer passwords reduce the risk of compromised accounts. Plus, security teams can use SAML to apply strong security policy to all their apps. For example, they can require multifactor authentication to sign in or apply conditional access policies that limit which apps and data people can access.

    • Unified management. By using SAML, tech teams manage identities and security policies in one solution rather than using separate management consoles for each app. This significantly simplifies user provisioning.

  • SAML is an open standard XML technology that allows identity providers, like Microsoft Entra ID to pass authentication data to a service provider, such as a software as a service app.
    Single sign-on is when people sign in once and then gain access to several different websites and apps. SAML enables single sign-on, but it’s possible to deploy single sign-on with other technologies.

  • Lightweight directory access protocol (LDAP) is an identity management protocol that is used for authentication and authorization of user identities. Many service providers support LDAP, so it can be a good solution for single sign-on, however, because it’s an older technology it doesn’t work as well with web applications.

    SAML is a newer technology that is available on most web and cloud applications, making it a more popular choice for centralized identity management.

  • Multifactor authentication is a security measure that requires people to use more than one factor to prove their identity. Typically, it requires something that the individual has, like a device, plus something that they know, like a password or PIN. SAML enables tech teams to apply multifactor authentication to multiple websites and apps. They can choose to apply this level of authentication to all the apps integrated with SAML or they can enforce multifactor authentication for some apps but not others. 

Follow Microsoft Security

Copilot for organizations Copilot for personal use Microsoft 365 Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store Support Returns Order tracking Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education Office Education Educator training and development Deals for students and parents Azure for students
Microsoft AI Microsoft Security Azure Dynamics 365 Microsoft 365 Microsoft Advertising Microsoft 365 Copilot Microsoft Teams Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Microsoft Power Platform Marketplace Rewards Visual Studio Careers Privacy at Microsoft Investors Sustainability
English (South Africa)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Contact Microsoft Privacy Manage cookies Terms of use Trademarks About our ads