About Simple SAML.

Simple SAML is the SSO layer between your application and your clients' identity providers. You configure a connection in the dashboard. Your client's IT admin uploads their IdP metadata. End users sign in through a standards-compliant flow that you never have to maintain. Your application receives a signed JWT and treats it like any other authenticated session.

Every B2B product eventually meets the same request: we need SSO before we can buy. SAML is the protocol that answers it, and it is a protocol almost no one on a typical engineering team has worked with before. The surface is wide, the libraries are creaky, and the consequences of getting it wrong are unauthorized access into your clients' systems.

SSO is not your product. It is a feature your clients expect to work every time, whether your client is a five-person design studio on Google Workspace or a five-thousand-person bank running on-prem ADFS, and it is a feature no one on your team is trying to specialize in. Simple SAML lets you ship it as a finished piece of infrastructure: standards-compliant, security-hardened, and run by a team that works on SAML day after day so that your team doesn't have to.

Focused scope

We do one thing: SAML 2.0 in, signed JWT out. Keeping the surface narrow keeps the failure modes predictable and the security posture defensible.

Standards over magic

We sign JWTs with RS256 and publish a JWKS at /.well-known/jwks.json. Verification is whatever your existing JWT library already does. No SDK lock-in.

Conservative defaults

Replay protection, certificate-expiry checks, audience validation, and assertion-signature verification are on by default. There is no flag that loosens them.

Reliability over flexibility

When SSO breaks, your clients can't log in. We operate the proxy as critical infrastructure rather than as a side feature, and design every change with that constraint in mind.

SOC 2 Type 1, a signed data processing agreement, and a contractual SLA are in progress. Procurement teams that need any of these today can reach legal@simplesaml.com for current status and interim documentation.

Product questions, bug reports, and general inquiries go to support@simplesaml.com. Security reports go to security@simplesaml.com. Procurement, partnerships, and contract questions go to legal@simplesaml.com.