By now in our Application Security series, we’ve covered the other security standards like – OAuth 2.0 and OpenID Connect — both powerful and modern standards for API authorization and user authentication. But walk into any large enterprise today, and odds are, they’re still using SAML.
Note: This article belongs to Part 2.3: Security Standards in our Application Security series.
Yes, SAML — the XML-based Single Sign-On (SSO) standard that predates OAuth. While it might feel old-school, it’s anything but irrelevant. In fact, SAML is the backbone of identity federation in many corporations, government agencies, and enterprise SaaS platforms.
This post is for anyone, developers/architects/product owners/Quality Engineers, who want to understand what SAML is, how it works, and why it’s still essential — especially if you’re building or integrating with enterprise systems. We’ll also show how Spring Security supports SAML 2.0 out of the box, making it easier than ever to plug into legacy identity ecosystems without compromising on modern development practices.
Why SAML Still Matters
Before diving into the details, it’s worth asking:
Why would anyone still use SAML in 2025?
Because for large organizations, SAML solves a critical problem: how to authenticate users securely across many apps — without asking them to log in every time.
It’s built for:
- Enterprise-grade SSO
- Federated identity across domains
- On-prem + cloud hybrid environments
- Vendor integrations that must trust a central identity system
And despite its age, it’s incredibly reliable and widely supported by Identity Providers (IdPs) like Azure AD, Okta, ADFS, Ping Identity, and many more.
What Exactly Is SAML?
SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between two parties:
- The Identity Provider (IdP) — which authenticates the user
- The Service Provider (SP) — which provides access to the application
Unlike OAuth, SAML is not about granting scoped access to APIs. It’s about saying:
“This user has been authenticated by a trusted authority. Here’s who they are.”
That’s it. No tokens for APIs. No refresh flows. Just assertions passed between trusted systems over secure channels.
A Developer’s Walkthrough of the SAML Flow
Let’s imagine a scenario:
You’re building an internal dashboard for a large enterprise. The users already authenticate daily via their corporate login system (say, Azure AD or Okta). Your app shouldn’t ask for credentials again — it should trust that central login.
Here’s what happens behind the scenes (Service Provider – initiated flow):
- The user visits your app (
https://dashboard.company.com) - Spring Security notices no session, so it redirects to the IdP
- The IdP prompts login (if not already logged in)
- On successful authentication, the IdP sends a signed XML assertion back to your app via a POST
- Spring Security validates the signature, extracts identity claims, and logs the user in
No passwords ever touch your app. That’s the magic of SAML.
Inside the SAML Assertion
The core of the whole flow is the SAML Assertion — an XML payload that tells the Service Provider (your app):
- Who the user is (
NameID) - What attributes they have (
email,roles, etc.) - That the assertion is digitally signed by the IdP
- That it is valid only for your app (via audience restriction)
Example (simplified):
<saml:Assertion>
<saml:Subject>
<saml:NameID>[email protected]</saml:NameID>
</saml:Subject>
<saml:AttributeStatement>
<saml:Attribute Name="email" Value="[email protected]"/>
<saml:Attribute Name="roles" Value="manager"/>
</saml:AttributeStatement>
</saml:Assertion>
Spring Security parses this, validates it, and populates the SecurityContext with the user’s identity.
Implementing SAML with Spring Security
Spring Security’s SAML 2.0 support makes integration straightforward.
Step 1: Add dependencies
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-saml2-service-provider</artifactId>
</dependency>
Step 2: Configure the IdP metadata
spring:
security:
saml2:
relyingparty:
registration:
enterprise-idp:
identityprovider:
metadata-uri: https://idp.company.com/metadata
Step 3: Setup the security filter chain
@Configuration
@EnableWebSecurity
public class SAML2SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.saml2Login() // SAML 2.0 Login
.and()
.authorizeHttpRequests(auth -> auth
.anyRequest().authenticated()
);
return http.build();
}
}
That’s it. Spring Security handles:
- Metadata exchange
- Redirects to the IdP
- XML signature validation
- Extraction of user attributes
Accessing the Authenticated User
You can inject the authenticated principal like this:
@GetMapping("/user")
public String userInfo(@AuthenticationPrincipal Saml2AuthenticatedPrincipal principal) {
String email = principal.getFirstAttribute("email");
List<String> roles = principal.getAttribute("roles");
return "Welcome " + email + ", Roles: " + roles;
}
SAML vs OIDC: Which One to Choose?
| Scenario | Use SAML? | Use OIDC? |
|---|---|---|
| Enterprise SSO with Okta / Azure AD | ✅ | ✅ |
| Legacy app with XML metadata only | ✅ | ❌ |
| Mobile apps or SPAs | ❌ | ✅ |
| OAuth-protected APIs | ❌ | ✅ |
| Federated SSO for external vendors | ✅ | ✅ |
🟢 TL;DR: If your IdP supports both and you’re building a modern app — prefer OIDC.
But if you’re integrating into a legacy-heavy or B2B enterprise setup — SAML is often the only option.
Best Practices
- Always validate the digital signature and audience
- Keep assertions short-lived (minutes, not hours)
- Use HTTPS everywhere — SAML doesn’t encrypt by default
- Don’t mix SAML with OAuth flows unless you really know what you’re doing
- Leverage attribute mapping for roles and permissions — but don’t blindly trust them
Conclusion
SAML may not be shiny or JSON-based, but it’s battle-tested, widely supported, and extremely effective at enabling federated login across large organizations.
If you’re building for the enterprise, you’ll likely encounter SAML — and thanks to Spring Security, you can integrate it cleanly, securely, and without reinventing the wheel.
Check out https://en.wikipedia.org/wiki/SAML_2.0 and https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Wikipedia links for more information on the current topic.
What’s Next
Up Next in our Application Security Series is:
Part 3.1 👉 How LDAP Works: Directory-Based Identity for Secure Application Access
We’ll explore about LDAP and its secrets:
- How directory servers like OpenLDAP or Active Directory work
- What the LDAP protocol looks like
- How to authenticate against it using Spring Security
Have a Question?
Whether you’re wrestling with SAML assertions or trying to get Spring Security and your IdP to speak the same language, feel free to share your scenario or questions in the comments.
SAML can feel arcane — but it’s a lot more approachable once you’ve seen it work end to end.
