Conceptually understanding single sign-on (SSO) is great, but actually implementing SSO can be a tricky business. Especially if you don't do it very often. Or if you have no experience with SSO at all. While there are many modes of SSO available for consumer apps, such as OAuth, SAML is still very prevalent in the enterprise applications space.
Salesforce is amazing in that with no hassle and for free (read $0.00), you can set up a SAML SSO environment with two DE orgs, one as a service provider and one as an identity provider. This should give you a fine test bed for exploring the protocol and also for testing integrations with other systems. Unfortunately the best tutorial previously available is now outdated, presenting a challenge to new SSO admins trying to wrap their heads around SAML 2.0 and Salesforce.
To bridge the gap, I consolidated a day's worth of tinkering and re-learning into a single SAML 2.0 SSO Tutorial for Salesforce. I hope that other developers and admins can benefit from this guided exploration of both sides of SAML 2.0, using Salesforce both as an identity provider and as a service provider.
UPDATED April 15, 2014: Thank you, Chuck Mortimore for sharing a link to a more in-depth walkthrough on Developer Force for implementing SAML 2.0 SSO using Salesforce.