Relying party
A relying party (RP) is an entity, typically a service provider, application, or website, that relies on a trusted identity provider (IdP) to authenticate users and obtain their identity information in federated identity systems, rather than managing authentication internally.[1][2] This delegation enables secure, single sign-on experiences across multiple domains, where the RP verifies assertions or tokens issued by the IdP to grant access to protected resources.[3][4] In protocols like SAML 2.0, the relying party acts as the recipient of security assertions from the IdP, which contain claims about the user's identity and attributes, allowing the RP to make authorization decisions without direct credential handling.[3][5] Similarly, in OpenID Connect—built on OAuth 2.0—the RP initiates authentication by redirecting users to the OpenID provider (OP), receives an ID token upon success, and may use an access token to fetch additional user claims via the UserInfo endpoint.[2][6] This flow ensures the RP can trust the OP's authentication while maintaining user privacy through standardized token validation.[2] Relying parties are also integral to modern authentication standards like FIDO2 and WebAuthn, where they register and authenticate public key credentials (such as passkeys) to enable passwordless access, relying on the authenticator for cryptographic verification.[7] In broader contexts, such as NIST's digital identity guidelines, an RP evaluates the binding of a user's name to a public key or other credentials to confirm identity and status before providing services.[8] By outsourcing authentication, relying parties reduce security risks associated with credential storage and enhance interoperability in enterprise and web environments.[9][10]Definition and Concepts
Core Definition
A relying party (RP) is a system entity, such as a website, application, or service, that relies on an external identity provider (IdP) for making user authentication and authorization decisions.[11] In this role, the RP outsources the authentication function to the IdP, using the results to establish confidence in a user's identity or attributes for conducting transactions.[11] The relying party functions as the consumer of identity assertions provided by the IdP, rather than the issuer of such assertions, which is the responsibility of the IdP or authority.[12] For instance, in SAML contexts, a relying party takes a SAML assertion from a SAML authority as the basis for its decisions.[12] The term "relying party" originated in the OASIS Security Assertion Markup Language (SAML) 1.0 specification, approved as an OASIS Standard in November 2002.[13] It has since been adopted and generalized across modern identity frameworks, such as OpenID Connect, where the RP is an application that requests and relies on authentication from an IdP.[2] Key attributes of a relying party include establishing trust with the IdP and the ability to receive and validate assertions, such as tokens containing user attributes like identity and roles.[14] This trust relationship enables the RP to process assertions securely for access control.[14] Federated identity represents the broader paradigm that facilitates the operation of relying parties through such external validations.[14]Key Terminology
In federated identity systems, a relying party relies on several core terms to facilitate secure identity verification from an identity provider. An identity assertion is a digitally signed statement issued by an identity provider attesting to a user's identity, authentication details, or attributes, enabling the relying party to make access decisions. In the SAML standard, identity assertions manifest as XML documents containing authentication statements, attribute statements, or authorization decisions about a subject relative to a resource.[15] Similarly, in OpenID Connect, the ID token serves as the identity assertion, structured as a JSON Web Token that includes claims about the end-user's authentication event and profile information.[16] The term service provider (SP) is frequently synonymous with relying party, especially within SAML ecosystems, where it denotes the system entity delivering services to users while depending on assertions from an identity provider for authentication.[17] In contrast, within OAuth and OpenID Connect frameworks, the relying party aligns with the client, defined as the application authorized by the resource owner to request access to protected resources or identity claims via tokens.[18] A trust relationship represents the mutual agreement between a relying party and an identity provider, underpinned by shared security parameters to validate assertions and prevent unauthorized access. This relationship is operationalized through metadata exchange, where entities share configuration details such as communication endpoints, supported protocols, and cryptographic certificates to establish endpoints and verify signatures.[19] Distinct from the resource server in OAuth—which hosts protected resources and validates access tokens for resource retrieval—the relying party emphasizes identity verification and assertion consumption, delegating resource protection to separate servers in authorization flows.[18]Role in Identity Systems
Interaction with Identity Providers
In federated identity systems, the relying party (RP) establishes trust with the identity provider (IdP) primarily through the bilateral exchange of metadata, which contains essential configuration details for secure communication. This metadata typically includes unique entity identifiers (such as URIs designating the RP and IdP), endpoint locations for protocol messages (e.g., authentication request and response endpoints), and public cryptographic keys used for signing and verifying messages.[19][20] The exchange can occur via secure channels like HTTPS, with metadata often published at well-known locations derived from the entity's identifier or discovered through protocols like DNS records or WebFinger, ensuring both parties can validate the authenticity and integrity of the information using digital signatures and transport-layer security.[19][20] Once trust is established, the RP initiates authentication by redirecting the user's browser to the IdP's authorization endpoint, as specified in the exchanged metadata, prompting the IdP to authenticate the user and return a signed identity assertion to the RP. The RP verifies this assertion using the IdP's public key from the metadata, confirming the user's identity without direct credential handling. This process is inherently bilateral, as the RP also supplies its own metadata to the IdP during setup, allowing the IdP to recognize and authorize requests from the specific RP.[19][20] This interaction enables single sign-on (SSO) by leveraging the IdP's centralized session management; after initial authentication at the IdP, subsequent RP requests can reuse the existing session, propagating access across multiple relying parties without requiring repeated user logins. In federated environments, such as those using OpenID Federation, trust chains and metadata policies further reinforce this by allowing hierarchical validation between entities, ensuring scalable and secure propagation of authentication.[21] The identity assertion serves as the key output of these IdP interactions, providing the RP with verified user attributes.[19]User Authentication Flow
The user authentication flow in federated identity systems begins when a user attempts to access a protected resource on the relying party (RP), which detects an unauthenticated session and initiates the process by redirecting the user to the identity provider (IdP) for authentication, assuming a pre-established trust relationship between the entities.[14] The IdP authenticates the user—potentially via multi-factor methods—and redirects the user back to the RP with an authentication assertion or token, such as a SAML assertion or OpenID Connect ID Token, containing claims about the user's identity and session details.[3][16] Upon receipt, the RP validates the assertion to confirm its authenticity and applicability before granting access to the resource.[14] Validation at the RP involves several critical steps to ensure the assertion's integrity and relevance, including verifying the digital signature using the IdP's trusted public key to prevent tampering, checking audience restrictions to confirm the assertion is intended for this specific RP, and extracting attributes such as user ID or email for local use.[22][23] The RP also examines conditions like not-before and expiration timestamps, allowing minimal clock skew (e.g., a few seconds) to account for synchronization differences, and ensures the assertion ID is unique to detect replays.[24] Successful validation leads to attribute extraction and session establishment. Post-validation, the RP creates a local session, typically via secure cookies or tokens, to maintain the user's authenticated state without repeated IdP interactions, while the original resource URL (often preserved via a RelayState parameter) is used to redirect the user.[3] For logout, the RP may propagate termination requests to the IdP, which coordinates single logout across participants by notifying other RPs to clear sessions, using mechanisms like front-channel redirects in OpenID Connect or asynchronous bindings in SAML.[25][26] If validation fails—such as due to an expired token, invalid signature, or mismatched audience—the RP denies access, terminates any partial session, and may redirect the user to an error page or prompt re-authentication, treating the event as a security incident without granting privileges.[27] This error handling ensures robust protection against unauthorized access attempts.[14]Supporting Protocols
SAML Implementation
In the Security Assertion Markup Language (SAML), the relying party operates as the service provider (SP), a system entity that relies on assertions from an asserting party, typically an identity provider (IdP), to make access control or other decisions.[15] The SP initiates the web single sign-on process by issuing an<AuthnRequest> message to the IdP, specifying parameters such as the desired authentication method, requested attributes, and the desired name identifier format.[15] Upon successful authentication of the user at the IdP, the IdP returns a <SAMLResponse> message containing one or more SAML assertions, which the SP validates and consumes to authorize the user.[15]
These message exchanges in SAML 2.0 utilize specific bindings to transport protocol messages over HTTP or SOAP. The HTTP Redirect binding conveys the <AuthnRequest> via a URL query parameter in a 302 redirect response, while the HTTP POST binding embeds the request in the body of an HTML form submitted via POST; the <SAMLResponse> typically uses the HTTP POST binding for direct delivery of the assertion, though the Artifact binding allows an indirect reference (artifact) to be sent instead, resolved later via a separate SOAP request.[3] The Artifact binding enhances security by avoiding direct transmission of sensitive assertions over the user's browser, requiring a backend channel between the SP and IdP.
Relying parties exchange configuration details through SAML metadata, published as XML documents conforming to the SAML V2.0 Metadata schema. The metadata includes an <EntityDescriptor> element with a unique entityID attribute identifying the RP, and an <SPSSODescriptor> role descriptor outlining the SP's capabilities, such as supported protocols (e.g., urn:oasis:names:tc:[SAML:2.0](/page/SAML_2.0):protocol) and whether authentication requests or assertions must be signed.[19] Within the <SPSSODescriptor>, <AssertionConsumerService> elements specify indexed endpoints (with Binding and Location attributes) where the IdP delivers responses, while <NameIDFormat> elements list supported formats such as urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, urn:oasis:names:tc:[SAML:2.0](/page/SAML_2.0):nameid-format:transient, and urn:oasis:names:tc:[SAML:2.0](/page/SAML_2.0):nameid-format:persistent.[19] Attribute profiles are defined via <AttributeConsumingService> elements, each with an index and containing <RequestedAttribute> declarations (extending SAML's <Attribute> type) to indicate required or desired attributes, such as those from X.500/LDAP profiles, along with localized service names and descriptions.[19]
SAML 1.1 provided foundational support for the relying party role through basic assertion consumption in browser-based SSO, but lacked standardized SP-initiated requests and relied on simpler bindings without artifact resolution.[28] In contrast, SAML 2.0 introduced significant enhancements for relying parties, including the Authentication Request Protocol for SP control over authentication contexts and attribute requests, refined artifact binding restricted to protocol messages (with SOAP-based resolution), and native support for XML Encryption to protect entire assertions (<EncryptedAssertion>), identifiers (<EncryptedID>), or attributes (<EncryptedAttribute>), thereby improving privacy and security in federated environments.[28]
OpenID Connect and Related Standards
In OpenID Connect (OIDC), a relying party (RP) functions as an OAuth 2.0 client that relies on an OpenID Provider (OP) to authenticate end-users and obtain their identity information.[16] This standard builds upon OAuth 2.0 by adding an identity layer, enabling RPs to request and validate identity assertions through ID Tokens rather than solely access tokens for authorization.[16] Unlike XML-based protocols, OIDC employs RESTful APIs, JSON Web Tokens (JWTs), and lightweight discovery mechanisms to facilitate interoperable identity verification.[16] RPs register with an OP either statically or dynamically to obtain necessary credentials, such as a client ID and optional client secret.[16] Dynamic registration follows the OpenID Connect Dynamic Client Registration 1.0 specification, which extends the OAuth 2.0 Dynamic Client Registration (RFC 7591) by incorporating OIDC-specific metadata.[29] In this process, the RP sends an HTTP POST request to the OP's client registration endpoint, including parameters likeredirect_uris (an array of valid redirection URIs) and client_name (a human-readable identifier).[29] The OP responds with a client configuration, including the client_id for subsequent authentication requests, and optionally a registration_access_token for managing the registration.[29]
To interact with the OP, RPs utilize discovery endpoints defined in OpenID Connect Discovery 1.0, primarily the /.well-known/openid-configuration resource, which provides metadata about the OP's capabilities and endpoints.[20] This JSON document includes details such as the authorization_endpoint for initiating authentication, the token_endpoint for exchanging codes, and supported scopes like openid for identity requests.[20] By fetching this configuration, RPs can dynamically adapt to the OP's setup without hard-coded values, enhancing flexibility in federated environments.[20]
The primary authentication flow for RPs in OIDC is the Authorization Code Flow, which prioritizes security by avoiding direct exposure of tokens in the browser.[16] The RP redirects the end-user to the OP's authorization endpoint with parameters including client_id, redirect_uri, scope (must include openid), response_type=code, state (to maintain request integrity), and optionally nonce (to mitigate replay attacks).[16] Upon user authentication at the OP, the RP receives an authorization code via the redirect URI, which it then exchanges at the token endpoint for an access token and an ID Token.[16] The ID Token, a compact JWT, encapsulates identity claims such as iss (issuer), sub (subject), aud (audience, matching the RP's client_id), and exp (expiration time).[16]
RP validation of the ID Token is critical and involves multiple checks to ensure authenticity and freshness.[16] The RP must verify the JWT's signature using the OP's public keys (obtained via the JSON Web Key Set endpoint), confirm the iss matches the OP's issuer identifier, ensure the aud includes the RP's client_id, and check that the token is not expired.[16] Additionally, if a nonce was sent in the initial request, it must match the value in the ID Token to prevent man-in-the-middle attacks, while the state parameter from the response must align with the original request to bind the interaction.[16] This flow integrates seamlessly with OAuth 2.0, where the RP acts as the client for authorization grants, but OIDC extends it by emphasizing identity verification through the ID Token's structured claims.[16]
Practical Applications
Use in Web Services
In web services, relying parties (RPs) commonly implement single sign-on (SSO) to enable seamless user authentication through trusted identity providers (IdPs), such as Google or Microsoft Azure Active Directory (Azure AD). For instance, consumer web applications integrate "Sign in with Google" buttons, where the RP redirects users to Google's authorization endpoint for authentication via OpenID Connect (OIDC), receives an authorization code, and exchanges it for an ID token to verify user identity without managing local credentials.[30] Similarly, web services like productivity tools use Azure AD integrations for "Sign in with Microsoft," leveraging OIDC flows to handle browser-based redirects and ID token validation, allowing users to access multiple applications with one set of credentials.[31] Browser-based RP implementations rely on standardized redirect flows to interact with IdPs, ensuring secure token exchange across domains. In these setups, the RP initiates authentication by sending a GET request to the IdP's endpoint (e.g.,https://accounts.google.com/o/oauth2/v2/auth for Google), including parameters like client_id and redirect_uri, prompting the browser to redirect the user for consent and return to the specified URI with the response.[30] Cross-origin resource sharing (CORS) becomes critical for advanced scenarios, such as silent renewals in single-page applications (SPAs), where RPs use prompt=none requests to fetch tokens without full redirects; this requires IdPs to support CORS headers like Access-Control-Allow-Origin matching the RP's origin and Access-Control-Allow-Credentials: true to include session cookies, preventing browser blocks on cross-origin fetches.[32]
To achieve scalability in high-traffic web environments, RPs deploy behind load balancers that distribute incoming requests while preserving session affinity for consistent assertion validation. Application load balancers, such as those in AWS Elastic Load Balancing, bind user sessions to specific backend instances using sticky sessions based on cookies, ensuring that post-authentication requests (e.g., token validation) route to the same RP server holding the session state, thereby maintaining security without stateless token overhead.
In consumer-facing applications, RPs facilitate social logins to streamline e-commerce experiences and mitigate password fatigue. Platforms like Shopify act as RPs by integrating Google and Facebook providers, where customers authenticate via social credentials, syncing only email addresses to the merchant's store and enabling passwordless access that reduces user friction from managing multiple passwords across sites.[33] This approach boosts conversion rates by offering familiar login options during checkout, allowing seamless account creation without additional credential entry.[34]
Enterprise and Cloud Deployments
In enterprise environments, relying parties (RPs) are commonly integrated with Active Directory Federation Services (AD FS) to enable single sign-on (SSO) for internal applications. AD FS configures RPs through relying party trusts, which define the authentication and authorization parameters for accessing on-premises resources such as enterprise resource planning systems or custom line-of-business apps.[35][36] This setup allows seamless user access across federated domains without repeated credential prompts. Attribute-based access control is implemented via claim rules in AD FS, where incoming claims from the identity provider—such as user roles, group memberships, or device compliance status—are mapped to outgoing assertions that the RP uses to enforce fine-grained permissions.[37][38] In cloud deployments, RPs facilitate federation between corporate identity providers (IdPs) and major platforms to manage workforce identity. For instance, Amazon Web Services (AWS) acts as an RP by establishing SAML 2.0 trusts with external corporate IdPs like AD FS, enabling employees to access AWS resources using their organizational credentials.[39][40] Similarly, Google Cloud serves as an RP through Workforce Identity Federation, allowing direct SSO from third-party IdPs such as Okta or Azure AD to Google Cloud services without provisioning user accounts in the cloud.[41] Integrations like AWS IAM Identity Center can incorporate System for Cross-domain Identity Management (SCIM) for automated user provisioning and deprovisioning, ensuring that access rights align with changes in the corporate directory.[42] Hybrid deployments bridge on-premises RPs with cloud-based IdPs to support distributed architectures, particularly in scenarios involving secure remote access. On-premises applications configured as RPs can authenticate against cloud IdPs like Microsoft Entra ID, receiving SAML assertions over secure channels to authorize users connecting via virtual private networks (VPNs).[43] This approach maintains compatibility with legacy systems while leveraging cloud scalability, with VPN gateways enforcing additional policy checks post-federation.[44] Trust interactions in these large-scale environments rely on metadata exchange and certificate validation to prevent unauthorized access across boundaries.[45] For compliance with regulations like the General Data Protection Regulation (GDPR), RPs emphasize attribute minimization in SAML assertions to limit the personal data shared from IdPs. This practice, aligned with GDPR's data minimization principle (Article 5(1)(c)), involves configuring claim rules to release only essential attributes—such as a pseudonymous identifier instead of full user details—reducing privacy risks in federated exchanges.[46] In enterprise and cloud contexts, this ensures assertions contain just enough information for authorization while supporting auditability for data protection impact assessments.Security and Challenges
Common Vulnerabilities
Relying parties (RPs) in federated identity systems are susceptible to several security vulnerabilities that can compromise authentication integrity and user sessions, often stemming from improper validation of assertions received from identity providers (IdPs). These risks arise during the authentication flow where the RP processes tokens or messages, potentially allowing unauthorized access if flaws in implementation or protocol handling are exploited.[47] Assertion validation flaws represent a primary risk for RPs, particularly in protocols like SAML where digital signatures ensure authenticity. Accepting unsigned assertions enables attackers to forge identity claims, such as altering user attributes or roles, leading to unauthorized privilege escalation. Similarly, replayed assertions occur when intercepted valid messages are reused without checks on timestamps or unique identifiers, allowing impersonation even after the original session expires. A notable example is XML signature wrapping in SAML, where attackers manipulate the XML structure to include a malicious unsigned assertion alongside a valid signed one, tricking the RP into processing the forged content while the signature verifies correctly on the legitimate part.[47][48][49] Redirect URI manipulation poses another threat, exploiting the redirect mechanisms in SAML or OpenID Connect flows. In open redirect attacks, a malicious IdP or intermediary can spoof responses by altering the RelayState parameter or assertion consumer service (ACS) URL, directing the user to a phishing site that captures credentials or steals session data post-authentication. This vulnerability leverages the trust in redirect bindings, enabling attackers to intercept or redirect flows to controlled domains.[48][47] Session fixation attacks target RPs by hijacking established sessions after authentication. An attacker pre-sets a session identifier before the user authenticates with the IdP, and if the RP reuses this identifier upon receiving the assertion, the attacker can assume control of the legitimate user's session. This issue has been observed in SAML adapters and OpenID Connect implementations, where session IDs are not regenerated post-federation.[50][51] As of 2025, emerging threats include token replay in JSON Web Tokens (JWTs) used by RPs for validation in OpenID Connect. Attackers intercept valid JWTs and replay them due to insufficient expiration times or lack of unique identifiers like the "jti" claim, granting repeated unauthorized access. Weak key management exacerbates this, as predictable or short symmetric keys (e.g., HMAC secrets) allow brute-force forging of tokens. Additionally, supply chain attacks on open-source dependencies in npm packages introduce backdoors that propagate to relying party implementations, as seen in widespread JavaScript ecosystem incidents.[52][53]Best Practices for Implementation
Implementing a relying party (RP) requires rigorous validation of assertions received from identity providers (IdPs) to ensure authenticity and prevent unauthorized access. RPs must always verify assertion signatures using the IdP's public keys, check timestamps for validity within a narrow clock skew (e.g., a few seconds, synchronized via NTP), and confirm the audience restriction matches the RP's identifier. For SAML assertions, this involves validating elements like<AudienceRestriction> and rejecting those with invalid or missing conditions, as per the SAML 2.0 Core specification. In OpenID Connect (OIDC), RPs should validate ID Tokens by confirming the issuer (iss), audience (aud), expiration (exp), and signature using the OP's JSON Web Key (JWK) Set from the jwks_uri endpoint. Using established libraries such as OpenSAML for SAML processing or oidc-client-js for OIDC implementations facilitates secure validation without reinventing cryptographic checks.
Effective key management is essential for maintaining trust in federated authentication. RPs should rotate certificates regularly—ideally every 1-2 years or upon compromise—to limit exposure, updating SAML metadata or OIDC JWK Sets accordingly to ensure seamless IdP communication. Implement mutual TLS (mTLS) for RP-IdP interactions to authenticate both parties and encrypt traffic, using RSA 2048-bit keys with SHA-256 hashing as a minimum standard. Private keys must be protected using Hardware Security Modules (HSMs) or equivalent secure storage, and IdP certificates should be validated against Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) responders when available. These practices align with NIST SP 800-63C guidelines for federated key handling.
Robust monitoring and logging enable early detection of anomalies in assertion processing. RPs should audit all incoming assertions, logging identifiers, timestamps, and validation outcomes to track potential replays or forgeries, and integrate these logs with Security Information and Event Management (SIEM) tools for real-time analysis. Regular testing, including rejection of invalid or unsigned assertions, helps verify system integrity. Such auditing supports compliance with standards like those in the OWASP Logging Cheat Sheet, which emphasizes capturing authentication events for forensic review.
To ensure ongoing security, RPs must adhere to the latest protocol specifications, such as SAML 2.0 errata from OASIS and OIDC Core 1.0 from the OpenID Foundation, incorporating updates like Proof Key for Code Exchange (PKCE) for public clients. Conduct regular penetration testing to simulate attacks on assertion validation and key exchanges, focusing on common vulnerabilities like signature wrapping or token substitution. This proactive approach, recommended in NIST SP 800-63-3, helps maintain compliance and resilience without introducing new risks.