SAML

SAML lets an identity provider (Okta, Azure AD, JumpCloud) issue assertions that a user has authenticated, which a service provider (a SaaS app) accepts as proof of identity. SAML predates JSON-friendly standards by a decade; the XML payloads are verbose but the protocol is mature and broadly supported. SAML is often paywalled by vendors at higher pricing tiers, which procurement teams call the "SSO tax" when negotiating contracts.