SAML

SAML is the protocol that no one wants to use. But if you must use it, at least you now have a modern, detailed introduction to SAML thanks to my new Pluralsight course: Getting Started with SAML.

You’ll hear the common phrase that "SAML is dead", but we have been saying this for almost a decade, and it hasn’t gone anywhere. SAML continues to be one of the most used single sign-on protocols around, especially within large enterprises and government institutions.

This course is entirely programming free and is suitable for software developers of any language or stack. That being said, if you’re looking to get started with SAML in ASP.NET Core, I highly recommend this course as your first step.

When using SAML, you have two methods for starting Single Sign-On (SSO): SP-initiated or IdP-initiated. Both have their use cases, but one is more secure than the other. No points for guessing from the title.

These flows are used entirely within the browser and defined by SAML’s Web SSO profile, which is the main use case of modern SAML (SAML in the 2020s). The issues raised in this article apply to all three binding types: redirect, post, and artifact.