The following descriptions are meant to assist understanding SAML. More formal descriptions may be found in the SAML specification.
Security Access Markup Language
The Security Access Markup Language (SAML) is an XML-based set of specifications defining message content, protocols, transport bindings and related information to enable federated single sign-on.
SAML Single Sign-On
SAML single sign-on (SSO) permits a user who has logged in at one web site to be automatically authenticated at other web sites. This provides for a better user experience and reduces the cost of maintaining user directories across multiple sites.
SAML Identity Provider
The identity provider (IdP) web application or site is where the user presents their credentials and is logged in. The method of authentication is application specific and not dictated by the SAML specification. The identity provider makes available information about the user to service provider (SP) web application or sites to enable SAML SSO.
SAML Service Provider
The service provider (SP) web application or site receives from an identity provider information about an authenticated user wishing to SSO to the service provider. The service provider uses this information to automatically log the user in. The user is not prompted to present their credentials at the service provider nor does the identity provider supply the service provider with the user's password. Instead, user information including their name and optional attributes such as their email address are supplied by the identity provider and user by the service provider to perform an automatic login. The method of automatic login at the service provider is application specific and not dictated by the SAML specification.
A trust relationship must exist between the identity provider and service provider for SAML SSO to work. The service provider must trust that the identity provider has authenticated the user and that the information presented to the service provider is correct. Typically, the information presented to the service provider is signed. This ensures that the information hasn't been modified by a third party and that the identity provider is the sender.