What Is SAML? XML-Based Single Sign-On
SAML is an XML-based standard that lets an identity provider tell an application that a user is authenticated, enabling single sign-on.
SAML, the Security Assertion Markup Language, is one of the original standards for enterprise single sign-on. It defines how an identity provider issues a signed XML assertion vouching for a user, and how an application consumes it. For engineering teams, SAML is often what gates human access to source hosts, cloud consoles, and CI/CD dashboards.
How a SAML flow works
A user tries to reach an application (the service provider). The application redirects to the identity provider, which authenticates the user and returns a signed SAML assertion. The application validates the signature and grants access. The user never gives the application a password.
The key pieces
- Identity provider (IdP): authenticates users and issues assertions.
- Service provider (SP): the application the user wants to reach.
- Assertion: a signed XML statement about the user identity and attributes.
SAML versus OpenID Connect
SAML uses XML and is well entrenched in enterprise software. OpenID Connect uses JSON and JWTs and fits modern web and mobile apps more naturally. Many organizations run both, choosing per application based on what each one supports.
SAML and CI/CD access
SAML typically governs interactive, human access to platforms, including CI/CD tools. Pipelines themselves do not use SAML to authenticate to services; they use tokens and OIDC. SAML is about people logging in, not jobs calling APIs.
Security considerations
SAML security rests on signature validation and correct configuration. Misvalidated signatures, replayed assertions, and overly broad attribute mappings are classic pitfalls. Because the IdP is the trust anchor, it must be strongly protected.
Where it fits
For a team using Latchkey, SAML would govern who can sign in to the dashboard through your IdP, while runner and pipeline authentication relies on scoped, short-lived credentials rather than SAML assertions.
Key takeaways
- SAML uses signed XML assertions to enable single sign-on for human access.
- It pairs an identity provider with service providers that trust its signatures.
- It governs interactive login, not machine-to-machine pipeline authentication.