Security Assertion Markup Language

Security Assertion Markup Language (SAML) is an open standard that lets identity providers pass authorization credentials to service providers. It is the most widely used protocol for enterprise Single Sign-On in education. When a user tries to access an application, SAML handles authentication by exchanging XML-based messages between the identity provider (which verifies the user) and the service provider (which grants access).

In a typical school deployment, the institution's identity provider (like Microsoft Azure AD or Shibboleth) authenticates users and sends a SAML assertion to the application. That assertion contains information about the user's identity and their authorized roles. The application trusts the assertion and grants access without requiring a separate login.

SAML 2.0 is especially important in higher education, where federated identity systems like InCommon let users from one institution access resources at another. OpenEduCat supports SAML 2.0, enabling single sign-on for institutions that already have identity management in place.

SAML is the dominant identity federation standard in higher education specifically because it was designed for cross-organizational trust relationships. That is critical for institutions that participate in research collaborations, consortia, and multi-campus systems where one identity provider needs to authenticate users across multiple organizations.

The practical setup involves three components: the Identity Provider (IdP), which holds the directory of users; the Service Provider (SP), which is the application requesting authentication; and the browser, which carries encrypted assertions between them. When a student clicks "Login" on the LMS, the LMS redirects the browser to the institution's IdP with a SAML authentication request. The IdP authenticates the student and sends a signed assertion back to the LMS through the browser. The whole thing takes less than a second from the user's perspective.

When evaluating education software, SAML support is non-negotiable if you use an enterprise identity provider like Active Directory. The setup process should be well-documented, and your identity provider admin should be able to complete it without vendor help using standard configuration parameters. Red flags include vendor requirements for custom attribute mappings that deviate from standards, proprietary SAML extensions, or long delays between metadata exchange and working authentication.