ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

OASIS-SAML-2-0

OASIS SAML 2.0 SSO federated identity XML-based 2005.

Definition

SAML 2.0 key concepts: (1) Assertions: XML documents containing Authentication Statement (when + how user authenticated), Attribute Statement (user attributes name + email + groups + custom), Authorization Decision Statement (whether user authorized for resource), digitally signed by IdP. (2) Protocols: Authentication Request Protocol (SP requests authentication user IdP), Single Logout Protocol (SLO logout from all SPs), Artifact Resolution Protocol, Assertion Query and Request Protocol. (3) Bindings: transport mechanisms (HTTP Redirect Binding, HTTP POST Binding most common Web SSO, HTTP Artifact Binding, SAML SOAP Binding, etc.). (4) Profiles: combinations of assertions + protocols + bindings for specific use cases (Web Browser SSO Profile most popular, Enhanced Client or Proxy ECP Profile, Single Logout Profile, etc.). (5) Components: Identity Provider (IdP), Service Provider (SP), User Agent (browser typically), Metadata XML (describes IdP/SP capabilities + endpoints + certificates). Comparison OIDC OpenID Connect (modern alternative based OAuth 2.0 + JSON-based): SAML SOAP-XML heavyweight + better for enterprise legacy + Browser SSO traditional, OIDC lightweight + JSON + better for mobile + modern web apps. SAML 2.0 remains dominant enterprise SSO (~70% large enterprises) due maturity + ecosystem.

Origin

SAML 1.0 OASIS Standard 2002 ; SAML 1.1 OASIS Standard 2003 ; SAML 2.0 OASIS Standard 15 March 2005 ; ongoing maintenance OASIS SSTC.

Example in context

Salesforce.com enterprise customer uses Okta IdP for SSO into Salesforce SP via SAML 2.0 Web Browser SSO Profile: user clicks Salesforce login, Salesforce redirects browser to Okta with SAML AuthnRequest, Okta authenticates user, Okta redirects browser back to Salesforce with SAML Assertion (signed XML containing user attributes), Salesforce validates assertion + grants session.

Last updated: May 16, 2026