What is SAML

Shahrukh AhmadShahrukh Ahmad
7 min read

SAML (Security Assertion Markup Language) is an open standard that allows Single Sign-On (SSO) between identity providers (IdP)(eg: Okta,Azure AD) and service providers (SP)(eg:Salesforce,Dropbox,Gmail).
It is XML-based and securely transfers authentication and authorization data between two parties.

Commonly used for

Enterprise SSO (Single Sign-On), cloud-based app access control (eg: salesforce, office365, AWS, Console), and Federated indentity management.

in simple term:

SAML allows user to login once (eg: with their corporate credentials) and access multiple application without re-entering their login details.

Where Is SAML Used

Use CaseExample
🌐 SSO for Web AppsGoogle Workspace login with company AD credentials
🏢 Enterprise PortalsLogin to Salesforce, Zoom, Workday using SAML SSO
☁️ Cloud PlatformsLogin to AWS, Azure, or GCP via corporate IdP (Azure AD, Okta)
🔐 Third-Party SaaS ToolsSAML lets users log in securely without managing local credentials

How SAML works

  1. You try to access a service (eg: Salesforce)

  2. The service provider (SP) redirect you to on identity provider(eg:Okta, AD).

  3. you log in to the identity provider

  4. The Identity provider Authenticates you and sends a SAML Aseertion(XML document) to the SP.

  5. The service provider reads this assertion and grants access to the user.

    SAML Explained: Definition, How It Works & Benefits

Practice Approach (Build Lab Project)

🔧 Tools You Can Use for Practice

  • Identity Provider (IdP):

    • 🔹 Azure AD (Free Tier)

    • 🔹 Okta Developer Account (Free)

    • 🔹 ADFS (Active Directory Federation Services – for on-prem)

  • Service Provider (SP):

    • 🔹 WordPress with SAML Plugin

    • 🔹 Any free SAML demo app (e.g., SAMLTool, OneLogin Demo App)

Real-Life Example: SAML SSO Using Okta + Web App

Scenario:

Company wants users to log in to their internal Leave Management System using Okta SSO, instead of creating separate user accounts in the app.

Step-by-Step Setup:

Step 1: Setup Okta as Identity Provider

  1. Create a free Okta Developer account

  2. Go to Applications > Create App Integration

  3. Choose SAML 2.0

  4. Fill:

    • Single Sign-On URL – where Okta will POST the SAML assertion (e.g., your app URL)

    • Audience URI (SP Entity ID) – identifier for your app

  5. Download IdP metadata XML (contains certificate and SSO endpoint)


Step 2: Configure the Web App (Service Provider)

  1. Use a sample SAML-enabled web app or install WordPress + miniOrange SAML Plugin

  2. Enter:

    • IdP Entity ID

    • SSO URL

    • X.509 Certificate (from Okta)


Step 3: Add User in Okta


Step 4: Test the Login Flow

  1. Visit your app (SP)

  2. Click "Login via SSO"

  3. You are redirected to Okta (IdP)

  4. Enter Okta credentials

  5. You are redirected back to app with a SAML assertion

  6. Access is granted based on that token (no password stored in app)

What Is Transferred?

  • A SAML Assertion (XML-based) is sent from IdP to SP

  • It includes:

    • Authentication details

    • User attributes (name, email, role)

    • Digital signature

How to Explain in an Interview:

“SAML is an open standard used for secure Single Sign-On.
I implemented a lab where I used Okta as the Identity Provider and a WordPress app as the Service Provider.
I configured SAML 2.0 integration, tested the login flow, and verified how the SAML assertion is securely passed and used to authenticate the user.”

Top 12 SAML Interview Questions with Sample Answers


Q1. What is SAML?

Answer (Say this confidently):

“SAML stands for Security Assertion Markup Language.
It’s an open standard based on XML used to exchange authentication and authorization information between an Identity Provider (IdP) and a Service Provider (SP), primarily used for Single Sign-On (SSO).”


Q2. Why do we use SAML?

Answer:

“SAML allows Single Sign-On, so users can log in once and access multiple applications securely.
It improves security by centralizing authentication, reduces password fatigue, and helps organizations enforce access policies from a single identity source like Okta or Azure AD.”


Q3. What are the main components of SAML?

Answer:

  1. Identity Provider (IdP) – Authenticates the user (e.g., Okta, Azure AD)

  2. Service Provider (SP) – The app or service the user wants to access (e.g., Salesforce, WordPress)

  3. SAML Assertion – An XML token sent by the IdP to the SP with user identity and access permissions


Q4. What is a SAML Assertion?

Answer:

“A SAML assertion is an XML document that includes the user's identity and access rights.
It is digitally signed by the Identity Provider to ensure it's tamper-proof.
The Service Provider uses it to grant access without needing the user’s password.”


Q5. What is the difference between IdP and SP?

Answer:

  • IdP (Identity Provider) authenticates the user (e.g., Okta, ADFS)

  • SP (Service Provider) provides the service the user is trying to access (e.g., Gmail, Salesforce)

The SP trusts the IdP to validate the user's identity via the SAML token.


Q6. How does the SAML login flow work?

Answer (Say this step-by-step):

  1. User tries to access a Service Provider (e.g., app)

  2. The SP redirects the user to the Identity Provider (IdP)

  3. The IdP authenticates the user

  4. The IdP sends back a SAML assertion to the SP via browser

  5. SP validates the assertion and logs the user in


Q7. What are the different bindings used in SAML?

Answer:

Common bindings include:

  • HTTP Redirect Binding – Sends requests via URL (used for initial login requests)

  • HTTP POST Binding – Sends SAML assertions via HTML form (most common for responses)

  • HTTP Artifact Binding – Passes reference instead of full assertion


Q8. What’s the difference between SAML and OAuth?

Answer:

FeatureSAMLOAuth
PurposeSSO (Authentication)Authorization (API access)
FormatXML-basedJSON or Token-based
Use CaseLogin to apps via IdPGive apps permission to act on your behalf (e.g., access your Google Drive)

“SAML is for authentication and used in enterprise SSO.
OAuth is for delegated authorization, often used in mobile and web apps.”


Q9. Can SAML be used for mobile apps?

Answer:

“SAML is XML-based and heavy for mobile apps.
OAuth2 + OpenID Connect (OIDC) is more common for mobile use due to its lightweight JSON format.”


Q10. What’s the role of metadata in SAML?

Answer:

“SAML metadata is an XML file that contains important configuration details like:

  • Entity ID

  • SSO URLs

  • Certificates
    Both the IdP and SP exchange metadata to establish trust and enable secure communication.”


Q11. How do you implement SAML in a project?

Answer:

“I set up SAML-based SSO using Okta as the IdP and a WordPress app as the SP.
I configured the SAML integration in Okta, provided the metadata to the app, and enabled login via Okta.
I tested the login flow, verified SAML assertions, and ensured secure SSO was working end-to-end.”


Q12. What are some common issues in SAML and how do you troubleshoot them?

Answer:

Common issues:

  • Clock skew – Time mismatch between IdP and SP servers

  • Wrong Entity ID or ACS URL

  • Expired certificate

  • Mismatched NameID or user attribute

I troubleshoot using browser dev tools, SAML trace extensions, and server logs to inspect the SAML request/response.

0
Subscribe to my newsletter

Read articles from Shahrukh Ahmad directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Shahrukh Ahmad
Shahrukh Ahmad

Passionate about coding and the limitless possibilities of cloud technology. I thrive on turning ideas into scalable, efficient solutions. Let's connect and explore the exciting synergy between code and the cloud! 🤖 AI / ML🧠| 📊 - Data Science |Azure☁️AWS | Linux🐧| Windows🖥️| Python | JAVA | 🐳 Docker | Git | Gitlab | ⚓️Kubernetes | 🚀 Jenkins CI/CD | 🏗️ terraform | SQL.