Article

SAML

Home
The Siit Glossary
SAML
Article Sections

What is SAML?

SAML (Security Assertion Markup Language) is an open, XML-based standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). Maintained by the Security Services Technical Committee of OASIS, the current version, SAML 2.0, was approved as an OASIS Standard in March 2005.

SAML underpins Single Sign-On (SSO) for enterprise web applications. An employee authenticates once with a central IdP (such as Okta, Microsoft Entra ID, or Google Workspace), and that verified identity is passed to every connected application through signed XML assertions. The SP never receives the user's password. It validates the IdP's digital signature, checks the assertion's validity window and intended audience, and then grants access. This separation gives IT teams a single control plane for managing who can log into what, rather than maintaining separate credentials across dozens of SaaS tools, making SAML the protocol layer that makes centralized identity management possible across the application stack.

Key Takeaways

  • Open XML Standard: An XML-based standard maintained by OASIS for exchanging authentication and authorization data between parties.
  • SSO Foundation: Employees access multiple applications with a single set of credentials verified at one central identity provider.
  • Assertion-Based Architecture: Uses digitally signed XML documents carrying authentication statements, user attributes, and authorization data.
  • Complementary Protocol: Works alongside SCIM for provisioning and OAuth 2.0 for API authorization rather than replacing them.

Why SAML Matters

For IT teams managing internal operations across multiple SaaS applications, SAML is the protocol that turns scattered, per-application credential management into a centralized authentication model.

  • Reduced Credential Sprawl: Consolidating authentication to a single IdP eliminates the security risk of employees reusing weak passwords across applications.
  • Centralized Access Revocation: Disabling an account at the IdP immediately blocks access to all connected applications, closing manual deprovisioning gaps.
  • Lower Help Desk Volume: Enterprise SSO consolidates password resets and provisioning processes, reducing the volume of routine help desk tickets.
  • Unified Audit Trail: Every login event is logged at the IdP, giving compliance teams a single source of truth for access reviews.

Without SAML-based SSO, each application maintains its own authentication silo, forcing IT teams to reset passwords across individual systems and chase down orphaned accounts during offboarding. NSA and CISA identity guidance treat federation protocols like SAML as the standard way to centralize authentication, and federal SSO guidance points to consolidated password resets and fewer credential silos as core benefits.

SAML in Action

A 250-person fintech company hires 15 new employees in a single month. Without SAML-based SSO, the three-person IT team would create individual accounts across Slack, GitHub, Jira, and the company's internal tools, generating separate credentials for each system. Password reset requests would pile up within the first week.

With SAML configured through their IdP, each new hire authenticates once and gains access to every connected application through signed assertions. When an employee transfers from engineering to product management, IT updates their role attributes at the IdP, and application-level access adjusts accordingly. When someone leaves, a single deprovisioning action revokes access everywhere.

How Siit Supports SAML

Siit's AI Service Desk connects SAML-based identity infrastructure to internal service operations by unifying access request workflows with the IAM tools that enforce authentication policies.

  • Identity Sync: Integrations with Okta, Microsoft Entra ID, JumpCloud, and Google Workspace sync employee identity data directly into Siit, so access requests arrive with full context, including role, department, and current permissions.
  • AI Triage Routing: AI Triage automatically routes access-related requests to the right team based on the application, the requester's profile, and pre-configured rules.
  • Approval and Execution: Rapid Approvals trigger structured workflows where managers review requests with the employee's 360° Employee Profile attached, approve in one click, and Power Actions execute the provisioning step directly in the connected IdP.
  • Lifecycle Automation: IT Agent runs custom playbooks for onboarding and offboarding sequences, provisioning accounts across SAML-connected applications, syncing employee data from BambooHR or Workday integrations, and creating a compliance audit trail through Analytics & Reporting.

By sitting between the employee request and the identity provider action, Siit turns what would be a manual, multi-step coordination process into an automated workflow that resolves access changes end to end.

Want to connect your SAML-based identity stack to automated access workflows and reduce manual provisioning steps? Book a demo to see how Siit can help.