Skip to content

SAML 2.0

SAML (Security Assertion Markup Language) 2.0 is an XML-based framework for exchanging authentication and authorization data between parties. Authrim supports both Identity Provider (IdP) and Service Provider (SP) roles for enterprise SSO integrations.

  • Enterprise SSO: Integrate with enterprise identity systems (AD FS, Okta, Azure AD)
  • Legacy Application Support: Connect with applications that only support SAML
  • Federation: Establish trust relationships between organizations
  • Regulatory Compliance: Meet requirements for standards-based authentication
FeatureIdPSPNotes
SSO (Single Sign-On)YesYesSP-initiated and IdP-initiated
SLO (Single Logout)YesYesLogoutRequest/LogoutResponse
HTTP-POST BindingYesYesPrimary binding
HTTP-Redirect BindingYesYesDeflate + Base64 encoding
Metadata GenerationYesYesXML metadata documents
XML Signature (RSA-SHA256)YesYesSign and verify
NameID FormatsYesYesEmail, Persistent, Transient
Attribute MappingYesYesConfigurable per provider
Session IntegrationYesYesSessionStore DO
Replay ProtectionYesYesSAMLRequestStore DO
JIT Provisioning-YesAuto user creation
Metadata Import/RefreshYesYesAdmin preview, import, and refresh endpoints
Signing RolloverYesYesPublish/promote/retire signing keys
FeatureReason
Assertion EncryptionDesign decision: signing only
Artifact BindingSOAP backchannel complexity
ECP ProfileMobile-specific; out of scope
EndpointMethodDescription
/saml/idp/metadataGETIdP metadata document
/saml/idp/ssoGET/POSTSingle Sign-On service
/saml/idp/sloGET/POSTSingle Logout service
EndpointMethodDescription
/saml/sp/metadataGETSP metadata document
/saml/sp/acsPOSTAssertion Consumer Service
/saml/sp/sloGET/POSTSingle Logout service
/saml/sp/initGETSP-initiated SSO start
EndpointMethodDescription
/api/admin/saml-settingsGET/PUTTenant SAML settings
/api/admin/saml-settings/local-signingPOSTLocal signing key settings
/api/admin/saml-settings/local-signing/dr-bundlePOSTExport local signing disaster-recovery bundle
/api/admin/saml-settings/local-signing/dr-bundle/importPOSTImport local signing disaster-recovery bundle
/api/admin/saml-providersGET/POSTList or create SAML providers
/api/admin/saml-providers/:idGET/PUT/DELETERead, update, or delete a provider
/api/admin/saml-attribute-presetsGET/POSTList or create attribute presets
/api/admin/saml-metadata/previewPOSTPreview metadata before import
/api/admin/saml-metadata/previews/:previewId/entitiesGETList entities from an aggregate metadata preview
/api/admin/saml-metadata/previews/:previewId/batch-createPOSTStart batch provider creation from aggregate metadata
/api/admin/saml-metadata/batches/:batchIdGETGet aggregate metadata batch status
/api/admin/saml-metadata/certificate-previewPOSTPreview federation trust certificate metadata
/api/admin/saml-providers/:id/import-metadataPOSTImport metadata into a provider
/api/admin/saml-providers/:id/refresh-metadataPOSTRefresh remote metadata
/api/admin/saml-providers/:id/signing-rollover/*POSTPublish, promote, or retire signing keys
  1. User accesses protected resource at SP
  2. SP redirects user to IdP with AuthnRequest
  3. IdP authenticates user (if not already logged in)
  4. IdP generates SAML Response with Assertion
  5. IdP redirects user back to SP’s ACS URL
  6. SP validates response and grants access
  1. User logs into IdP portal
  2. User selects SP application
  3. IdP generates SAML Response with Assertion
  4. IdP redirects user to SP’s ACS URL
  5. SP validates response and grants access
Terminal window
POST /api/admin/saml-providers
Authorization: Bearer <admin_token>
Content-Type: application/json
{
"name": "Corporate SSO",
"type": "sp",
"entity_id": "https://sp.corp.example.com",
"metadata_url": "https://sp.corp.example.com/saml/metadata",
"acs_url": "https://sp.corp.example.com/saml/acs",
"slo_url": "https://sp.corp.example.com/saml/slo",
"name_id_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"sign_assertions": true,
"sign_authn_requests": true,
"attribute_mappings": [
{ "saml_attribute": "email", "user_claim": "email" },
{ "saml_attribute": "displayName", "user_claim": "name" },
{ "saml_attribute": "groups", "user_claim": "groups" }
]
}

For configuring external SPs, retrieve the IdP metadata:

Terminal window
GET /saml/idp/metadata

Returns XML metadata including:

  • Entity ID
  • SSO endpoints (POST and Redirect)
  • SLO endpoints
  • Signing certificate (X.509)

Use the metadata to configure the external SP with:

  • IdP Entity ID
  • SSO URL
  • SLO URL (optional)
  • IdP Certificate for signature verification

For SP-initiated flows, redirect users to:

GET /saml/idp/sso?SAMLRequest=<base64_deflate_encoded>&RelayState=<optional>

Or POST to:

POST /saml/idp/sso
Content-Type: application/x-www-form-urlencoded
SAMLRequest=<base64_encoded>&RelayState=<optional>

Authrim maps user claims to SAML attributes:

SAML AttributeUser ClaimExample Value
emailemailuser@example.com
displayNamenameJohn Doe
firstNamegiven_nameJohn
lastNamefamily_nameDoe
groupsgroups[“admin”, “users”]

Custom attribute mappings can be configured per provider.

FormatURIDescription
Emailurn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressEmail address
Persistenturn:oasis:names:tc:SAML:2.0:nameid-format:persistentOpaque persistent ID
Transienturn:oasis:names:tc:SAML:2.0:nameid-format:transientOne-time identifier
Unspecifiedurn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedAny format

All SAML assertions are cryptographically signed using RSA-SHA256:

  1. Canonicalize XML
  2. Create SignedInfo
  3. Sign with RSA key
  4. Add Signature element
  1. Request ID Tracking: Each AuthnRequest ID is stored
  2. InResponseTo Validation: Response must reference stored request
  3. Assertion ID Tracking: Assertion IDs stored to prevent replay
  4. Time Validation: NotBefore/NotOnOrAfter conditions enforced
  5. Clock Skew Tolerance: 60 seconds allowed for time drift
FieldTypeDescription
namestringDisplay name
type”sp” | “idp”Provider type
entity_idstringSAML Entity ID
metadata_urlstringURL to fetch metadata
acs_urlstringAssertion Consumer Service URL
slo_urlstringSingle Logout URL
name_id_formatstringNameID format
sign_assertionsbooleanSign SAML assertions
sign_responsesbooleanSign SAML responses
sign_authn_requestsbooleanRequire signed requests
allowed_bindingsarrayAllowed SSO/SLO bindings
attribute_mappingsarrayClaim to attribute mappings
Status CodeDescription
SuccessAuthentication successful
RequesterRequest error (invalid format)
ResponderIdP error (internal error)
AuthnFailedAuthentication failed
RequestDeniedRequest denied by policy
  1. Install SAML Tracer browser extension
  2. Initiate SSO flow
  3. Inspect SAML Request/Response
Terminal window
docker run -p 8080:80 \
-e SIMPLESAMLPHP_SP_ENTITY_ID=https://test-sp.example.com \
cirrusid/simplesamlphp
  • Encryption: Assertion encryption not supported (signing only)
  • Artifact Binding: Not implemented (HTTP-POST covers most use cases)
  • SOAP Binding: Not supported
  • ECP Profile: Not supported