I am studying SAML and SSO, and it looks like the application that use SAML need to be a web application and relying on a browser.
Can anybody tell me why?
My limited knowledge of SAML tells me that SAML relies on session and cookie, which is not available in desktop application or mobile app. Is that the only reason? Can you give me more details about this?
Well you are partly wrong. There are different access profiles for SAML2. Web browser Single Sign On is probably the most widely used one. It's based on redirects and as name suggest, it needs browser. You can use for example ECP (Enhanced Client or Proxy) profile for command line clients. Sample implementations in different languages are available on Shibboleth Contribution Sites and ECP profile page
Check OASIS documentation for further details
Edit1:
I don't know why are you assuming that I am less lazy than you;)
Here is brief description of ECP profile. In general you should be able to obtain Assertion from IdP and then feed SP with it, without redirections. Unfortunately I don't have much experience with using ECP profile (yet). I am only familiar with the theory.
