How SAML works
SAML defines two roles: the identity provider (IdP), which authenticates users, and the service provider (SP), which is the application the user wants to reach. When a user opens the application, the SP redirects the browser to the IdP with an authentication request. The IdP verifies the user, then posts back a SAML assertion, an XML document that states who the user is and when they authenticated.
The assertion is digitally signed with the IdP certificate, and the SP validates that signature against metadata exchanged during setup. Assertions can also carry attributes such as email, groups, and roles, which the application uses to authorize the user. The whole exchange happens through browser redirects, so the SP and IdP never need a direct network path to each other.
Why SAML matters
SAML 2.0, finalized in 2005, became the backbone of enterprise single sign-on and remains deeply embedded in business software. Thousands of SaaS products, government systems, and internal enterprise applications expose SAML as their primary or only federation option, so any serious identity platform must speak it fluently.
For security teams, SAML removes application-local passwords and centralizes authentication policy at the IdP. For vendors, supporting SAML is often the gate to enterprise sales, since procurement checklists routinely require it. Although newer applications increasingly prefer OpenID Connect, SAML will remain essential for interoperability for years to come.
SAML in practice
Setting up a SAML integration means exchanging metadata between the IdP and the SP: entity IDs, endpoint URLs, and signing certificates. Most identity platforms ship pre-built connectors for popular applications that reduce this to a few fields. Attribute mapping deserves care, since applications differ in how they expect names, emails, and group claims to arrive.
Operationally, the most common failure modes are expired signing certificates, clock skew between systems, and mismatched name ID formats, so certificate rotation and monitoring belong in the runbook. Monosign implements SAML 2.0 in both roles, acting as IdP for applications and as SP when federating with external identity sources.