SAML is 20 years old. It runs the Fortune 500 anyway.

SAML 1.0 was ratified in late 2002, which makes the protocol twenty years old, several years older than the phrase cloud computing in common usage. Industry commentary has been writing its obituary for at least a decade. Meanwhile, across our customer base, SAML fronts a clear majority of workforce single sign-on connections, including at every one of our financial services customers. Both facts are true. This post is about holding them honestly.
Why it refuses to die
SAML survives because it solved the correct problem with the incorrect ceremony. The problem: let an enterprise prove to a vendor who its employees are, without sharing credentials, across organizational boundaries, with signatures a lawyer can point to. That contract is exactly what federated business relationships need, and it was nailed in 2005 with SAML 2.0. Meridian Bank federates with 130 partner organizations today; the reason that works at all is a two-decade accumulation of implementations, audit precedents, and procurement language. Protocols with network effects do not die of age. They die of replacement, and replacement requires every counterparty to move at once.
The parts that deserve the criticism
None of this is a defense of SAML's engineering surface, which I will not romanticize. XML signature verification is a minefield with decades of CVEs to prove it; canonicalization bugs, signature wrapping, and comment-handling quirks have each produced authentication bypasses in major implementations. Clock skew between IdPs breaks assertions in ways that get misdiagnosed for days. Metadata and certificate rotation remain, in practice, an email between administrators and a prayer. Our own hardened SAML stack rejects entire categories of technically valid but dangerous assertions, and we consider that opinionation a feature our customers pay for.
Legacy is not a pejorative. Legacy means it worked long enough for you to build a business on top of it.
What we tell customers
Our guidance is unromantic in both directions. Default to OIDC for anything new; it is smaller, better specified where it counts, and its failure modes are less exotic. Keep SAML for the federations where it is working, because a functioning trust relationship with a 130-partner network is an asset, not technical debt. And abstract the difference so that application teams never touch either protocol directly; that is Universal SSO's entire reason to exist. The dangerous posture is not running SAML in 2023. It is running SAML you no longer understand, with configurations nobody has reviewed since the person who created them left. Age is not the vulnerability. Neglect is.
So happy twentieth to the protocol everyone loves to bury. We will be maintaining our corner of it with full seriousness for at least another decade, because that is roughly the minimum time any honest person should expect it to matter.
Writing from inside the identity layer since 2023. For the conversation this post starts, bring it to your next architecture review — or to ours.
