Fact-checked by Grok 2 weeks ago

SAML 2.0

Security Assertion Markup Language (SAML) 2.0 is an XML-based for exchanging and data between an and a , enabling secure (SSO) and across different domains. Developed by the Security Services Technical Committee, it was approved as an OASIS Standard on 15 March 2005, building on earlier versions (SAML 1.0 in 2002 and SAML 1.1 in 2003) to address limitations in and support for web-based . SAML 2.0 defines key components including assertions, which are structured XML statements about a subject's , attributes, or decisions; protocols that specify request-response message exchanges (such as authentication requests and artifact ); bindings that map protocols to transport mechanisms like HTTP or ; and profiles that combine these elements for specific use cases, such as web browser SSO or the Holder-of-Key profile. It supports privacy features like pseudonymous identifiers and controlled attribute release, while incorporating mechanisms such as digital signatures and to protect against threats like replay attacks. The standard also aligns with related technologies, including X.1141, and remains widely adopted for enterprise in cloud and web environments.

Overview

Introduction

Security Assertion Markup Language (SAML) 2.0 is an XML-based open standard developed by the OASIS Security Services Technical Committee for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). It provides a framework for creating portable security assertions that enable secure information exchange across different security domains, facilitating trust relationships without requiring users to manage multiple credentials. The primary use cases of SAML 2.0 include (SSO), where users authenticate once with an to access multiple ; identity federation, which links a user's identity across organizations for seamless access; and attribute exchange, allowing the sharing of user attributes such as roles or entitlements in web-based environments. These capabilities address the limitations of local , where credentials are verified within a single , by enabling cross- interoperability. Key terminology in SAML 2.0 encompasses assertions, which are XML-encoded security statements issued by an about a subject; subjects, referring to the authenticated entities such as users; bindings, which define transport mechanisms like HTTP or for SAML messages; and profiles, which specify usage patterns for particular scenarios to ensure . Overall, SAML 2.0 plays a central role in management by standardizing the exchange of verifiable information, promoting secure and efficient access in distributed systems.

History

The (SAML) originated from efforts within the (OASIS) to standardize the exchange of authentication and authorization data across domains. In January 2001, the OASIS Security Services Technical Committee (SSTC) held its first meeting, tasked with developing SAML to address emerging needs for management, including those articulated by the newly formed Liberty Alliance Project, which sought open standards for secure in networked environments. SAML 1.0 was subsequently approved as an Standard in November 2002, providing a foundational XML-based for assertions but with limited profiles primarily suited for early web-based use cases. Building on this, SAML 1.1 was ratified as an Standard in September 2003, refining the specification with a stronger emphasis on the Web Browser Single Sign-On (SSO) Profile to enable more practical browser-based scenarios. These initial versions laid the groundwork for interoperable security assertions, though they lacked comprehensive support for advanced features. SAML 2.0 marked a significant evolution, ratified as an Standard on 15 March 2005, by incorporating SAML 1.1 functionalities while introducing key enhancements such as for entity configuration and protocols for single logout to improve scalability and management. The development drew heavily from the Liberty Alliance's Identity Framework (ID-FF) 1.2 specifications, which were contributed to the SSTC in , ensuring alignment with industry needs for robust identity . Parallel influences included Microsoft's , which informed interoperability aspects, and the project, an early open-source implementation that contributed practical insights from federations to the SSTC's work. Following ratification, SAML 2.0 received minor updates through approved errata published by the SSTC, clarifying ambiguities without altering core semantics. No major revisions have occurred since, establishing SAML 2.0 as a stable, mature standard widely adopted for enterprise and web .

Core Components

Assertions

In SAML 2.0, an assertion is an XML-encoded declaration issued by a SAML authority that conveys statements about a subject, such as a or , regarding , attributes, or decisions. The assertion serves as the fundamental unit for exchanging security-related information between parties, ensuring structured and verifiable claims. The structure of a SAML assertion is defined in the saml:AssertionType schema within the urn:oasis:names:tc:SAML:2.0:assertion namespace. It requires a unique ID attribute of type xs:ID for identification, an IssueInstant attribute specifying the UTC timestamp of issuance in xs:dateTime format, a Version attribute set to "2.0", and an Issuer element identifying the asserting authority using saml:NameIDType. Optional elements include Conditions, which impose validity constraints such as NotBefore and NotOnOrAfter timestamps to define the assertion's temporal validity, and Advice, which provides supplementary information not directly tied to the assertion's core statements. Assertions contain one or more statement elements of three types. An AuthnStatement documents an authentication event, including the AuthnInstant timestamp, an optional SessionIndex for linking to a session, and an AuthnContext that describes the authentication mechanism, such as password-based or multi-factor methods via class references like urn:oasis:names:tc:SAML:2.0:ac:classes:Password. An AttributeStatement conveys attributes about the subject, where each Attribute element specifies a Name (URI or qualified name), optional FriendlyName for human-readable labels, NameFormat (e.g., urn:oasis:names:tc:SAML:2.0:attrname-format:uri), and one or more AttributeValue elements holding the attribute data. An AuthzDecisionStatement expresses an authorization decision for a specified Resource, with a Decision value (Permit, Deny, or Ineterminate) and optional Action elements detailing permitted operations. The optional Subject element within an assertion identifies the principal to which the statements apply. It typically includes a NameID child element, which carries the subject's identifier in a specified Format such as urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress for addresses or other predefined formats like subject names. The Subject may also contain SubjectConfirmation elements to indicate how the subject is confirmed, using methods like urn:oasis:names:tc:SAML:2.0:cm:bearer for simple possession-based confirmation or urn:oasis:names:tc:SAML:2.0:cm:holder-of-key for proof-of-possession via cryptographic keys. For security, an assertion may include an optional Signature element based on XML Signature to ensure integrity and enable non-repudiation by the issuer. Additionally, within an AuthzDecisionStatement, an optional Evidence element can reference or embed supporting assertions or artifacts that justify the authorization decision. The following is a basic XML example of a SAML 2.0 assertion containing an AuthnStatement and an AttributeStatement: 
xml
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc"
                Version="2.0"
                IssueInstant="2003-04-17T00:46:02Z">
  <saml:Issuer>https://www.opensaml.org/IDP</saml:Issuer>
  <saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                 >[email protected]</saml:NameID>
    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
  </saml:Subject>
  <saml:Conditions NotBefore="2003-04-17T00:46:02Z"
                   NotOnOrAfter="2003-04-17T00:51:02Z">
    <saml:AudienceRestriction>
      <saml:Audience>http://www.opensaml.org/SP</saml:Audience>
    </saml:AudienceRestriction>
  </saml:Conditions>
  <saml:AuthnStatement AuthnInstant="2003-04-17T00:46:00Z" SessionIndex="abc123">
    <saml:AuthnContext>
      <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
    </saml:AuthnContext>
  </saml:AuthnStatement>
  <saml:AttributeStatement>
    <saml:Attribute Name="role"
                    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml:AttributeValue xsi:type="xs:string">manager</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>
```[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

### Names and Subjects

In SAML 2.0, the subject of an assertion represents the principal entity—typically a user or resource—about which statements are made, serving as the core element for identification within the XML structure.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) The subject element may contain a NameID to uniquely identify the principal or a confirmation method to specify how the subject is bound to the relying party, ensuring secure transmission and validation across federated environments.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

Name identifiers (NameID) in SAML 2.0 provide standardized [format](/page/Format)s for expressing the subject's [identity](/page/Identity), balancing [privacy](/page/Privacy), [interoperability](/page/Interoperability), and [federation](/page/Federation) needs. The persistent format (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent) uses opaque, pairwise pseudonyms that are long-term, unique identifiers generated by the [identity provider](/page/Identity_provider), unlinkable across service providers without explicit agreement to protect user [privacy](/page/Privacy).[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) The transient format (urn:oasis:names:tc:SAML:2.0:nameid-format:transient) employs session-specific, temporary identifiers that are not reusable beyond the current interaction, further enhancing [privacy](/page/Privacy) by avoiding persistent tracking.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) The unspecified format (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified) allows implementers to define custom or legacy identifiers when no predefined [format](/page/Format) applies, serving as a flexible default.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) For federated scenarios, NameID elements incorporate qualifiers like NameQualifier and SPNameQualifier to denote the [identity provider](/page/Identity_provider) and service provider contexts, enabling scoped, federated identifiers that support cross-domain [trust](/page/Trust) without exposing global identities.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

Subject confirmation establishes how a relying party verifies that the presenting entity is authorized to act on behalf of the [subject](/page/Subject), using methods such as bearer, holder-of-key, or sender-vouches.[](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf) Within the SubjectConfirmationData element, the Recipient attribute specifies the [URI](/page/Uri) of the intended receiving entity, ensuring the assertion is directed correctly.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) The InResponseTo attribute references the [message ID](/page/Message-ID) of the originating SAML protocol message, linking the assertion to its request for [contextual integrity](/page/Contextual_integrity).[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) The NotOnOrAfter attribute defines a UTC time instant after which confirmation validity expires, imposing a temporal bound to limit exposure.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

SAML 2.0 distinguishes between principal subjects, which identify a specific authenticated entity such as a [user](/page/User) within a [security](/page/Security) domain, and bearer subjects, where no particular recipient is designated, allowing any party possessing the assertion to use it provided other constraints like time limits are satisfied.[](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf) Principal subjects typically require [confirmation](/page/Confirmation) methods to bind the assertion to a verified holder, whereas bearer subjects rely on possession alone, assuming the presenter is the principal without additional proof.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

These subject mechanisms play a critical role in preventing replay attacks by enforcing confirmation methods that validate freshness and origin; for instance, the sender-vouches method requires the [issuer](/page/Issuer) to digitally [sign](/page/Sign) the assertion and vouch for the sender's authority, combined with InResponseTo and NotOnOrAfter to detect duplicates or expired messages.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) This approach ensures that assertions cannot be reused illicitly, as relying parties check these elements against local caches and trust relationships before acceptance.[](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf)

## Protocols

### Authentication Request Protocol

The Authentication Request Protocol in SAML 2.0 enables a [service provider](/page/Service_provider) (SP) to request [authentication](/page/Authentication) assertions from an [identity provider](/page/Identity_provider) (IdP) on behalf of a principal, facilitating secure [identity](/page/Identity) federation across domains.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) This protocol defines the exchange of an AuthnRequest message from the SP to the IdP, followed by a Response message containing the authentication outcome, typically including an assertion if successful.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) It supports various [authentication](/page/Authentication) scenarios, such as forcing re-authentication or requesting passive checks, while allowing the SP to specify requirements for the subject's identifier and [authentication](/page/Authentication) context.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) The protocol operates asynchronously, with messages exchanged via SAML bindings like HTTP Redirect or [POST](/page/Post-) to ensure flexibility in deployment.[](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html)

The core of the protocol is the **AuthnRequest** message, an XML element derived from RequestAbstractType, which the SP issues to initiate authentication.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) It includes several key elements: the **ID** attribute, a required unique identifier of type xs:ID for correlating the request with its response; the **IssueInstant** attribute, a required xs:dateTime value indicating the UTC time of issuance; and the optional **Destination** attribute, a URI specifying the intended recipient, typically the IdP's endpoint.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) Authentication control flags include **ForceAuthn**, an optional [Boolean](/page/Boolean) that, if set to "true", requires the IdP to perform a fresh authentication without reusing prior sessions; and **IsPassive**, another optional [Boolean](/page/Boolean) that, if "true", instructs the IdP to avoid any user-visible interaction during authentication.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) The **ProtocolBinding** element, optional and of type any[URI](/page/Uri), identifies the binding to use for the response delivery.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) Endpoint specification is handled by **AssertionConsumerServiceURL**, an optional any[URI](/page/Uri) pointing to the SP's service for receiving the response.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) The optional **NameIDPolicy** element allows the SP to request a specific NameID format, such as persistent or transient, and whether the IdP should create a new pseudonymous identifier if needed (see Section 3.4.1.1 of the core [specification](/page/Specification_(technical_standard)).[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) Finally, **RequestedAuthnContext** is an optional element specifying desired authentication contexts, including [comparison](/page/Comparison) methods like exact or minimum to match the principal's authentication strength.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

Upon receiving the AuthnRequest, the IdP processes the [authentication](/page/Authentication) and returns a **Response** message, encapsulated in a SAMLResponse element derived from StatusResponseType.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) This response includes a required **[Status](/page/Status)** element, which conveys the outcome using a hierarchical structure: the top-level **StatusCode** value, such as `urn:oasis:names:[tc](/page/TC):SAML:2.0:status:Success` for successful processing or `urn:oasis:names:[tc](/page/TC):SAML:2.0:status:Requester` for errors attributable to the SP; an optional **StatusMessage** for human-readable details; and an optional **StatusDetail** for additional XML content.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) If [authentication](/page/Authentication) succeeds, the response may contain one or more optional **Assertion** elements, each carrying authentication statements about the principal, signed by the IdP for [integrity](/page/Integrity).[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) The response's **ID** and **InResponseTo** attributes link it back to the original AuthnRequest for validation.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

In the basic flow, the [SP](/page/SP) generates and sends an AuthnRequest to the [IdP](/page/IDP)'s [single sign-on](/page/Single_sign-on) service, prompting the [IdP](/page/IDP) to authenticate the principal if necessary.[](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) The [IdP](/page/IDP) then issues a Response to the specified AssertionConsumerServiceURL, including an assertion confirming the [authentication](/page/Authentication) if the process completes successfully.[](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) This exchange underpins common use cases, such as the Web Browser SSO Profile, where it enables seamless access to protected resources.[](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html)

Error handling relies on the [Status](/page/Status) element to signal failures without assertions.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) For instance, the [IdP](/page/IDP) returns `urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy` if it cannot satisfy the requested NameID format or creation rules in the NameIDPolicy.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) Similarly, `urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext` is used when the RequestedAuthnContext cannot be met, ensuring the [SP](/page/SP) receives precise feedback on protocol violations or unsupported requests.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

### Artifact Resolution Protocol

The Artifact Resolution Protocol in SAML 2.0 enables a [service provider](/page/Service_provider) to exchange a compact, opaque artifact for the full SAML assertion or [protocol](/page/Protocol) message it references, supporting indirect communication between entities. This mechanism is particularly useful in scenarios where direct transmission of assertions through the [user agent](/page/User_agent) is undesirable due to size constraints, [security](/page/Security) concerns, or the need for [out-of-band](/page/Out-of-band) [transport](/page/Transport). By leveraging a back-channel connection, typically SOAP over HTTP, the [protocol](/page/Protocol) minimizes [user agent](/page/User_agent) involvement and allows for stronger protections, such as [mutual authentication](/page/Mutual_authentication), while ensuring artifacts are single-use and time-bound to prevent replay attacks.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

The protocol flow begins when the [service provider](/page/Service_provider) receives an artifact from the [identity provider](/page/Identity_provider) via a front-channel binding, such as the HTTP Artifact Binding. The [service provider](/page/Service_provider) then constructs and transmits an ArtifactResolve message to the [identity provider](/page/Identity_provider)'s designated artifact resolution endpoint over a secure back-channel. Upon validation of the artifact—including checks for validity, single-use enforcement, and recipient authorization—the [identity provider](/page/Identity_provider) retrieves the associated message and responds with an ArtifactResponse. If the resolution fails, the response includes an appropriate error status, such as urn:oasis:names:tc:SAML:2.0:status:ArtifactNotFound; successful resolutions deliver the original SAML assertion. The entire exchange is synchronous, ensuring the [service provider](/page/Service_provider) obtains the necessary information promptly.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)

The ArtifactResolve message is defined as an XML element of type samlp:ArtifactResolve, extending the abstract RequestAbstractType. It mandates attributes ID (a unique identifier), Version (set to "2.0"), IssueInstant (creation timestamp), and Issuer (the sender's entity identifier), along with a required Artifact child element containing the base64-encoded artifact value. Optional elements include Destination (the recipient's endpoint URI for the SOAP envelope), Consent (usage consent indicator), Signature (for integrity and authenticity), and Extensions (for profile-specific additions). This structure ensures the message is self-contained and verifiable.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

The corresponding ArtifactResponse message extends StatusResponseType and includes a mandatory Status element detailing the outcome via codes and subcodes. For successful resolutions, it carries the resolved content—typically a saml:Assertion or saml:EncryptedAssertion element—within its body, allowing direct integration with SAML assertion processing. Inherited attributes encompass ID, InResponseTo (matching the ArtifactResolve's ID), Version, IssueInstant, and Destination, with optional Signature and Extensions for security and extensibility. The recipient must validate the response against the request to confirm legitimacy.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

SAML 2.0 artifacts resolved by this [protocol](/page/Protocol) follow formats specified in the bindings document to maintain opacity and [security](/page/Security). The standard type, 0x0004, comprises a 44-byte value: a 2-byte type code (0x0004), a 2-byte [endpoint](/page/Endpoint) index (identifying the [resolution](/page/Resolution) [service](/page/Service)), a 20-byte SourceID ([SHA-1](/page/SHA-1) hash of the [issuer](/page/Issuer)'s entity ID for origin verification), and a 20-byte MessageHandle (a random or pseudorandom sequence ensuring uniqueness and single-use). This construction ties the artifact to a specific [issuer](/page/Issuer) and message instance, enabling efficient lookup while obscuring details from intermediaries. Although the [protocol](/page/Protocol) itself is format-agnostic, this type aligns with SAML 2.0's [security](/page/Security) model by facilitating secure, reference-based message delivery.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)

### Name Identifier Management Protocol

The Name Identifier Management Protocol in SAML 2.0 enables the management of name identifiers (NameIDs) for a principal between a [service provider](/page/Service_provider) (SP) and an [identity provider](/page/Identity_provider) (IdP), supporting operations such as updating, pseudonym rotation, or termination of identifiers to maintain [privacy](/page/Privacy) and [federation](/page/Federation) relationships.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) This protocol is particularly useful in scenarios where long-term pseudonymity is required, allowing entities to request changes without disrupting ongoing sessions.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) It operates as a request-response mechanism, typically synchronous, but can integrate with bindings for asynchronous flows if needed.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

The core message in this protocol is the **ManageNameIDRequest**, which a principal or [SP](/page/SP) sends to an [IdP](/page/IDP) to direct actions on an existing NameID.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) This request extends the abstract Request type and includes a required [element](/page/Element) specifying the current identifier, either as a `<saml:NameID>` (in [plaintext](/page/Plaintext)) or `<saml:EncryptedID>` (encrypted for [privacy](/page/Privacy)).[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) To request an update, it contains a `<samlp:NewID>` or `<samlp:NewEncryptedID>` [element](/page/Element) with the proposed new NameID, optionally accompanied by a `<samlp:NameIDPolicy>` to specify the desired format (e.g., persistent, transient, or unspecified) and [service provider](/page/Service_provider) name qualifier.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) For termination, a simple `<samlp:Terminate>` [element](/page/Element) is used, signaling the end of the identifier's use in the [federation](/page/Federation) without necessarily [logging](/page/Logging) out active sessions.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) The request must include an `<saml:Issuer>` to identify the sender and a unique `ID` attribute for correlation.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

In response, the IdP issues a **ManageNameIDResponse**, which extends the StatusResponse type and conveys the outcome of the request.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) This message includes a mandatory `<samlp:Status>` [element](/page/Element) with a status code, such as `urn:oasis:names:tc:SAML:2.0:status:Success` for approval, `urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal` if the NameID is unrecognized, or `urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy` if the requested [format](/page/Format) is unsupported.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) Upon successful update, the response may include the new `<saml:NameID>` or `<saml:EncryptedID>` to confirm the change.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) Errors are indicated via subcodes in the status, ensuring the requester can handle failures like [authorization](/page/Authorization) denial without assuming success.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

The protocol's flow begins with the requester authenticating to the [IdP](/page/IDP) if required, then sending the ManageNameIDRequest to the [IdP](/page/IDP)'s designated endpoint, often discovered via [SAML metadata](/page/SAML_metadata).[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) The [IdP](/page/IDP) processes the request by verifying the [issuer](/page/Issuer), the existing NameID, and any [policy](/page/Policy) constraints before applying the change and responding.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) For pseudonym rotation, this allows periodic updates to transient or persistent NameIDs without re-authentication, enhancing [privacy](/page/Privacy) in federated environments.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) Termination requests, in contrast, sever the identifier's association, which may relate to but is distinct from broader session management in protocols like Single Logout.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

Integration with SAML metadata is essential for interoperability, as the `<md:ManageNameIDService>` element in an entity's metadata specifies the endpoint URL, binding (e.g., HTTP POST), and supported NameID formats for this protocol.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) This allows dynamic discovery of management capabilities without hardcoding, supporting secure transport via HTTPS and digital signatures on requests and responses to prevent tampering.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

### Single Logout Protocol

The Single Logout Protocol in SAML 2.0 enables the termination of a principal's [single sign-on](/page/Single_sign-on) session across all associated system entities, such as the [identity provider](/page/Identity_provider) (IdP) and service providers (SPs), in a federated [environment](/page/Environment).[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) This protocol supports logout initiation either by a session participant (typically an SP) or by the session authority (the IdP), ensuring coordinated session termination without requiring the principal to log out individually at each entity.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) It operates asynchronously, allowing for near-simultaneous propagation of logout actions while accommodating potential delays or failures in communication.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

The protocol uses two primary message types: LogoutRequest and LogoutResponse. A LogoutRequest message, defined as `<samlp:LogoutRequest>`, includes a required [Issuer](/page/Issuer) element to identify the requesting entity and optional elements such as one or more SessionIndex values to specify the sessions to terminate, a NameID to identify [the principal](/page/The_Principal), and references to SessionParticipant entities involved in the session.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) The LogoutResponse message, `<samlp:LogoutResponse>`, confirms the outcome and includes a [Status](/page/Status) element with codes such as urn:oasis:names:tc:SAML:2.0:status:Success for full termination or urn:oasis:names:tc:SAML:2.0:status:PartialLogout when logout succeeds for some but not all participants.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

Logout flows can be initiated in two ways. In an SP-initiated flow, the session participant sends a LogoutRequest to the [IdP](/page/IDP) (session authority), which then propagates the logout to other participants as needed.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) For IdP-initiated logout, the session authority issues LogoutRequest messages directly to each SP, using either front-channel methods (such as browser redirects via the [user agent](/page/User_agent)) or back-channel methods (such as direct [SOAP](/page/SOAP) exchanges between entities).[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) These flows leverage logout endpoints defined in [SAML metadata](/page/SAML_metadata) to facilitate communication.

Key challenges in the [protocol](/page/Protocol) arise from its asynchronous design and the potential for unresponsive entities. Since logout [propagation](/page/Propagation) does not occur simultaneously across all participants, the process must handle timing discrepancies, which can result in incomplete session terminations.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) When entities fail to respond, the session authority issues a PartialLogout status to indicate that logout was not fully achieved, requiring implementers to design for robustness in such scenarios without blocking the overall process.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

## Bindings

### HTTP Redirect Binding

The HTTP Redirect Binding in SAML 2.0 enables the transmission of SAML messages over HTTP using the GET method, where the message is encoded and included as a query [parameter](/page/Parameter) in the redirect [URL](/page/URL).[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) Specifically, the SAML message—such as an authentication request—is serialized in XML, optionally compressed using [DEFLATE](/page/Deflate), base64-encoded, and then URL-encoded before being placed in a [parameter](/page/Parameter) like SAMLRequest for requests or SAMLResponse for responses.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) This binding relies on an HTTP [user agent](/page/User_agent), typically a [web browser](/page/Web_browser), to follow a 302 or 303 redirect response, facilitating indirect communication between the sender and receiver.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)

A key limitation of this binding is its restriction to a single SAML message per redirect, without support for attachments or multiple messages, due to the constraints of HTTP query strings.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) URL length limits, often around 2KB depending on [browser](/page/Browser) and [server](/page/Server) implementations, make it unsuitable for large assertions or complex signed content, as encoding and signing can significantly increase size.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) Consequently, it is not recommended for SAML responses containing substantial assertion data.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)

This [binding](/page/Binding) is commonly used for initiating [authentication](/page/Authentication) requests from a [service provider](/page/Service_provider) to an [identity provider](/page/Identity_provider) in browser-based [single sign-on](/page/Single_sign-on) flows, where the user's browser handles the redirection seamlessly.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) It supports the Authentication Request Protocol by binding messages like AuthnRequest in this manner. Additionally, a RelayState parameter can be included to maintain context across redirects, limited to 80 bytes and protected for integrity.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)

Message signing is optional but provides [integrity](/page/Integrity) and [authenticity](/page/Authenticity); it uses XML [Digital Signature](/page/Digital_signature) (ds:Signature) within the SAML message, with the signature value and algorithm (SigAlg) added as URL-encoded query parameters.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) Supported algorithms include DSA-SHA1 and RSA-SHA1, ensuring the message has not been altered during transit.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)

### HTTP POST Binding

The HTTP POST binding in SAML 2.0 defines a method for transmitting SAML [protocol](/page/Protocol) messages, such as requests and responses, over HTTP using the POST method.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) In this binding, the SAML message is first serialized into XML and then base64-encoded before being placed as the value of an [HTML form](/page/HTML_form) control [parameter](/page/Parameter), either `SAMLRequest` for requests or `SAMLResponse` for responses containing assertions.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) The form is submitted to the recipient endpoint via an HTTP POST request, typically with the content type `application/x-www-form-urlencoded`.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) This approach is identified by the [URI](/page/Uri) `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST`.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)

One key advantage of the HTTP POST binding is its ability to handle larger SAML messages without the length restrictions imposed by URL-based methods, making it suitable for transmitting complex assertions or multiple assertions in a single response.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) It also supports the optional `RelayState` parameter, which allows the sender to include state information—such as a resource identifier or session data—up to 80 bytes in length, preserved and returned by the recipient to maintain continuity in the interaction.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) The `RelayState` value must be integrity-protected, often via a [checksum](/page/Checksum) or [digital signature](/page/Digital_signature), to prevent tampering.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)

In usage scenarios, the HTTP POST binding is commonly employed in single sign-on (SSO) flows, particularly for responses from the [identity provider](/page/Identity_provider) (IdP) to the [service provider](/page/Service_provider) (SP), where the [user agent](/page/User_agent) (e.g., a [web browser](/page/Web_browser)) acts as an intermediary.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) The IdP generates an HTML response containing the form with the encoded SAML message and `RelayState`, which is then automatically submitted by the [browser](/page/Browser) using [JavaScript](/page/JavaScript), such as via an `onload` event handler like `document.forms[0].submit()`.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) This mechanism is integral to the Web Browser SSO Profile for delivering assertions to the SP without requiring user intervention beyond the initial [authentication](/page/Authentication).[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) If [JavaScript](/page/JavaScript) is unavailable, the form can be submitted manually by the user.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)

Security considerations for the HTTP POST binding emphasize the use of [HTTPS](/page/HTTPS) (SSL 3.0 or TLS 1.0 and above) to ensure confidentiality and prevent eavesdropping on transmitted messages.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) Additionally, SAML messages should be digitally signed using [XML Signature](/page/XML_Signature) to provide integrity and authenticity, verifying that the message has not been altered in transit and originates from the claimed sender.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) The recipient must validate the signature and any associated certificates against trusted roots before processing the message.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)

### HTTP Artifact Binding

The HTTP Artifact Binding in SAML 2.0 enables the indirect transmission of SAML protocol messages, such as responses containing assertions, by using a compact reference known as an artifact instead of sending the full message over the front channel. This binding, identified by the [URI](/page/Uri) `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact`, is particularly suited for scenarios where direct transmission of potentially large or sensitive data via browser-based channels is undesirable.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)

In this mechanism, the [identity provider](/page/Identity_provider) generates and sends a short artifact to the [service provider](/page/Service_provider) via the front channel, typically using HTTP redirect or [POST](/page/Post-) methods. The artifact serves as an opaque handle to the full SAML message, which is stored temporarily by the [identity provider](/page/Identity_provider). The [service provider](/page/Service_provider) then retrieves the referenced message through a secure back-channel invocation of the Artifact Resolution Protocol, employing [SOAP](/page/SOAP) messages over HTTP. This two-step process decouples the [user agent](/page/User_agent) interaction from the sensitive data exchange.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)

The artifact itself follows a fixed [binary](/page/Binary) [structure](/page/Structure) defined in SAML 2.0, consisting of 44 bytes before [base64](/page/Base64) encoding for transmission. It comprises a 2-byte type code set to 0x0004 to indicate the SAML 2.0 artifact type, a 2-byte [endpoint](/page/Endpoint) index specifying the resolution service [endpoint](/page/Endpoint) at the [issuer](/page/Issuer), a 20-byte source ID derived as the [SHA-1](/page/SHA-1) hash of the issuer's entity ID, and a 20-byte message handle generated as a cryptographically strong random value to uniquely identify the message instance. This format ensures the artifact is compact, typically encoding to around 60 characters, facilitating easy inclusion in HTTP parameters or forms.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)

In the front-channel flow, the artifact is delivered to the [user agent](/page/User_agent) in the identity provider's HTTP response following [authentication](/page/Authentication) or other [protocol](/page/Protocol) steps. For HTTP redirect, it appears as a query [parameter](/page/Parameter) in the [Location](/page/Location) header of a 302 response (e.g., `SAMLart=<base64-encoded-artifact>`); for [POST](/page/Post), it is embedded in an auto-submitting [HTML form](/page/HTML_form) within the response body. The [user agent](/page/User_agent) then forwards this to the [service provider](/page/Service_provider)'s assertion consumer [service endpoint](/page/Endpoint), where the [service provider](/page/Service_provider) extracts and uses the artifact to initiate [resolution](/page/Resolution).[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)

The back-channel resolution occurs directly between the service provider and identity provider, bypassing the user agent for security. The service provider issues a SOAP-enveloped `<ArtifactResolve>` request to the identity provider's artifact [resolution](/page/Resolution) endpoint, including the artifact and optionally an `Issuer` element identifying the requester. The identity provider responds with a SOAP-enveloped `<ArtifactResponse>` containing the dereferenced SAML message, such as an assertion, or an error status if the artifact is invalid, expired, or unknown. This exchange requires mutual TLS or other transport-level security to protect against interception.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)

Key benefits of the HTTP Artifact Binding include enhanced protection of sensitive assertion content, as it avoids embedding full XML messages in browser-transported HTTP requests, reducing exposure to [eavesdropping](/page/Eavesdropping) or tampering in untrusted networks. Additionally, it supports asynchronous processing, allowing the front-channel response to complete quickly while the back-channel resolution handles the heavier payload separately, improving overall performance in federated environments.[](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)

## Profiles

### Web Browser SSO Profile

The Web Browser SSO Profile defines a mechanism for [single sign-on](/page/Single_sign-on) (SSO) in web-based environments, enabling a [user agent](/page/User_agent), such as a [web browser](/page/Web_browser), to facilitate [authentication](/page/Authentication) between a [service provider](/page/Service_provider) (SP) and an [identity provider](/page/Identity_provider) (IdP) using SAML 2.0 assertions.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) This profile combines the SAML Authentication Request Protocol with specific bindings to support browser redirects and form submissions, allowing seamless access to protected resources without repeated [credential](/page/Credential) entry.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) It is identified by the URI `urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser` and assumes the user agent relays messages between the SP and IdP without direct client-side processing.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf)

In the SP-initiated flow, the process begins when a user attempts to [access](/page/Access) a resource at the [SP](/page/SP) via the browser.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) The [SP](/page/SP), upon determining that the user is not [authenticated](/page/Authentication), identifies the appropriate [IdP](/page/IDP)—potentially using [metadata](/page/Metadata) or [discovery](/page/Discovery)—and generates an `<AuthnRequest>` message specifying the desired [authentication](/page/Authentication) [context](/page/Context).[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) This request is sent to the [IdP](/page/IDP)'s Single Sign-On (SSO) service endpoint using an HTTP [binding](/page/Binding), such as Redirect or [POST](/page/Post).[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) The browser then redirects to the [IdP](/page/IDP), where the user [authenticates](/page/Authentication) if necessary.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) Upon successful [authentication](/page/Authentication), the [IdP](/page/IDP) constructs a `<Response>` message containing one or more signed `<Assertion>` elements, each including an `<AuthnStatement>` and bearer subject confirmation, and returns it to the [SP](/page/SP)'s Assertion Consumer Service (ACS) via the browser using HTTP [POST](/page/Post) or Artifact [binding](/page/Binding).[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) The [SP](/page/SP) validates the response and grants [access](/page/Access) to the resource if valid.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf)

The [IdP](/page/IDP)-initiated flow, in contrast, starts at the [IdP](/page/IDP) without a prior request from the [SP](/page/SP).[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) The user first interacts with the [IdP](/page/IDP), which authenticates them and issues an unsolicited `<Response>` with an assertion targeted at a specific [SP](/page/SP), often based on user selection or [IdP](/page/IDP) configuration.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) The browser then posts this response to the [SP](/page/SP)'s ACS, allowing the [SP](/page/SP) to validate and process it similarly to the SP-initiated case.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) This variant supports scenarios like portal-based access where users choose services post-authentication at the [IdP](/page/IDP).[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf)

The [profile](/page/Profile) supports several [binding](/page/Binding) combinations for [message](/page/Message) [transport](/page/Transport) to balance usability and [security](/page/Security).[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) In the **POST/POST** variant, the SP sends the `<AuthnRequest>` via HTTP POST to the IdP's SSO endpoint, and the IdP returns the `<Response>` via HTTP POST to the SP's ACS; both [messages](/page/Message) are form-encoded in the [browser](/page/Browser).[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) The **Redirect/POST** variant uses HTTP Redirect for the initial request—encoding the `<AuthnRequest>` in the [URL](/page/URL) query—to simplify SP implementation, followed by HTTP POST for the response.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) For the **Artifact/POST** variant, the SP sends an artifact reference via HTTP Redirect or POST to the IdP, which then resolves it back-channel using the SAML Artifact Resolution [Protocol](/page/Protocol) before posting the full `<Response>` to the ACS; this reduces front-channel payload size but requires additional infrastructure.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) Front-channel artifact variants use the [browser](/page/Browser) for resolution, while back-channel employs direct SP-IdP communication.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf)

Security requirements are integral to the profile to prevent interception and tampering.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) All HTTP exchanges must use [HTTPS](/page/HTTPS) with SSL 3.0 or TLS to ensure [confidentiality](/page/Confidentiality) and [integrity](/page/Integrity) of messages in transit.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) The `<Assertion>` elements in the `<Response>` must be digitally signed by the [IdP](/page/IDP), and the [SP](/page/SP) is required to validate these signatures using the IdP's public key from [metadata](/page/Metadata).[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) Additionally, each assertion must include an `<AudienceRestriction>` condition specifying the [SP](/page/SP)'s unique identifier (e.g., entity ID) to bind the assertion to the intended recipient and prevent replay at unauthorized providers.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) The `<AuthnRequest>` should include an `<Issuer>` element identifying the [SP](/page/SP), and optional elements like `<NameIDPolicy>` or `<Scoping>` may constrain the response format.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf)

### Enhanced Client or Proxy Profile

The Enhanced Client or Proxy (ECP) Profile defines a [single sign-on](/page/Single_sign-on) (SSO) mechanism in SAML 2.0 tailored for HTTP-capable clients that can directly communicate with an [identity provider](/page/Identity_provider) (IdP), bypassing the need for [service provider](/page/Service_provider) (SP)-initiated redirects typical in browser-based scenarios.[](https://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html) This profile enables enhanced clients, such as desktop applications or server-side entities, to handle [authentication](/page/Authentication) requests and responses using SOAP messaging over HTTP, facilitating seamless attribute exchange without relying on a [web](/page/Web) browser's [user agent](/page/User_agent).[](https://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html) It supports both direct client-to-IdP interactions and proxy modes where the client acts as an [intermediary](/page/Intermediary), routing messages between the SP and IdP to assist in [authentication](/page/Authentication) flows.[](https://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html)

The protocol flow begins when the client requests a protected resource from the [SP](/page/SP), prompting the SP to issue a `<samlp:AuthnRequest>` message to the client using the PAOS (Reverse-[SOAP](/page/SOAP)) binding over HTTP POST.[](https://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html) The client then forwards this request directly to the IdP via [SOAP](/page/SOAP), authenticates the principal if necessary, and receives a `<samlp:Response>` containing the SAML assertion in a [SOAP](/page/SOAP) [envelope](/page/Envelope).[](https://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html) In the proxy variant, the client may leverage a [browser](/page/Browser) only for initial discovery or consent but handles all subsequent [SOAP](/page/SOAP) exchanges independently, ensuring the assertion is returned to the SP through the client.[](https://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html) This direct [SOAP](/page/SOAP) pathway contrasts with browser profiles by eliminating [user agent](/page/User_agent) mediation and enabling support for advanced features like holder-of-key assertions and channel bindings for enhanced security.[](https://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html)

Common use cases include thick clients, such as desktop software, and mobile applications that require secure attribute exchange with remote services while maintaining control over the authentication process.[](https://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html) For instance, enterprise mobile apps can use this profile to authenticate users against an IdP and obtain attributes for personalized resource access without embedding a full browser component.[](https://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html) The profile's reliance on PAOS for initial requests and SOAP for responses ensures compatibility with HTTP transports while providing a robust alternative to indirect browser flows.[](https://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html)

### Identity Provider Discovery Profile

The Identity Provider Discovery Profile in SAML 2.0 provides a mechanism for service providers (SPs) to dynamically identify the appropriate [identity provider](/page/Identity_provider) (IdP) trusted by a user in scenarios involving multiple IdPs, particularly as a preliminary step before initiating the Web Browser SSO Profile.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) This profile addresses the challenge of federated environments where users may authenticate with different IdPs across a common domain, enabling seamless [single sign-on](/page/Single_sign-on) without requiring SPs to pre-configure all possible IdPs.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) It relies on non-normative strategies for [implementation](/page/Implementation), emphasizing cookie-based discovery to minimize user intervention while supporting redirection flows.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf)

A primary method within this profile is the Common Domain Cookie (CDC), which uses a shared [cookie](/page/Cookie) domain to store and retrieve the user's preferred [IdP](/page/IDP) information. The [cookie](/page/Cookie), named `_saml_idp`, contains a space-separated list of base-64 encoded and URL-encoded URIs pointing to the user's [IdPs](/page/IDP), set by the [IdP](/page/IDP) after successful [authentication](/page/Authentication).[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) It is configured with a path of `/`, a [domain](/page/Domain) of `.[common-domain]` (e.g., `.example.org`), the Secure flag, and optionally as session-only or persistent to balance usability and security.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) The [IdP](/page/IDP) establishes this [cookie](/page/Cookie) via [HTTPS](/page/HTTPS) on a common [domain](/page/Domain) server, which SPs can access to read the value without direct user input, facilitating quick resolution of the IdP endpoint often specified in [metadata](/page/Metadata).[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf)

For dynamic discovery, when no valid cookie is present or multiple IdPs are listed, the profile supports implementation-specific mechanisms where the SP redirects the user agent to a discovery service, such as a common domain endpoint using an HTTPS DNS alias.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) At this service, the user may select an IdP from a presented list, after which the user agent is redirected back to the SP or directly to the selected IdP, potentially including session information in the redirect URI to maintain context.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) This process ensures the discovery occurs transparently in most cases but allows user choice to handle ambiguous or initial access scenarios.

Integration with the broader SAML flow involves the [SP](/page/SP) querying the discovery endpoint—typically the common domain server—prior to issuing an `<AuthnRequest>`, allowing it to relay the request to the resolved [IdP](/page/IDP) for optimized [authentication](/page/Authentication).[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) This pre-authentication step enhances efficiency in federated deployments by avoiding trial-and-error [IdP](/page/IDP) attempts.

Despite its utility, the profile has limitations stemming from its cookie-based reliance, including dependency on a deployment-specific common domain that may not scale across all networks and potential sub-optimality in diverse applications.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) [Privacy](/page/Privacy) concerns arise from the cookie's potential for user tracking across SPs in the common domain, as it persistently links user sessions to [IdP](/page/IDP)s, necessitating secure [HTTPS](/page/HTTPS) transmission and countermeasures like domain scoping to mitigate exposure or poisoning attacks.[](https://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf)

### Assertion Query and Request Profile

The Assertion Query and Request Profile defines a mechanism in SAML 2.0 for [service providers (SPs)](/page/SPS) or other relying parties to query an [identity provider (IdP)](/page/Identity_provider) or attribute authority for existing SAML assertions or specific attributes after initial [authentication](/page/Authentication) has occurred.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) This profile utilizes the SAML Query and Request Protocol over a synchronous binding, such as [SOAP](/page/SOAP), to enable targeted retrieval of assertion content without initiating a new [authentication](/page/Authentication) process.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) It supports the URI `urn:oasis:names:tc:SAML:2.0:profiles:query` and is governed by the core protocol elements in SAML 2.0.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf)

The profile primarily accommodates two key query types relevant to post-authentication retrieval: the `<samlp:AttributeQuery>` and the `<samlp:AssertionIDRequest>`.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) An AttributeQuery allows a requester, typically an [SP](/page/SP), to request attributes associated with a specific [subject](/page/Subject) from the IdP's attribute service.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) This query message includes a `<saml:Subject>` element containing a `<saml:NameID>` to uniquely identify [the principal](/page/The_Principal), ensuring the request targets the correct [user](/page/User).[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) It may also incorporate zero or more `<saml:Attribute>` elements, each designating the desired attributes via attributes like `Name`, `NameFormat`, and `FriendlyName`; if no such designations are provided, the authority returns all attributes it is configured to release for the subject.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) The query must include an `<saml:Issuer>` element identifying the requester, and authentication of the request is typically achieved through digital signatures or the underlying binding.[](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf)

In the typical flow, the SP sends the AttributeQuery to the IdP's specified attribute service endpoint, which processes the request and responds with a `<samlp:Response>` message.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) The response contains either one or more `<saml:Assertion>` elements with `<saml:AttributeStatement>` encapsulating the requested attributes, or a `<samlp:Status>` element indicating success, failure, or partial results (e.g., via status codes like `urn:oasis:names:tc:SAML:2.0:status:Requester` for invalid subjects).[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) Similarly, an AssertionIDRequest enables retrieval of a previously issued assertion by referencing its unique identifier via one or more `<saml:AssertionIDRef>` elements in the request message.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) The flow mirrors that of AttributeQuery: the request is directed to the assertion issuer's service, yielding a response with the matching `<saml:Assertion>` or a status.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) These queries operate on SAML assertions, which encapsulate authentication, attribute, or authorization data about subjects identified by names like NameIDs.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)

Common use cases for this profile include just-in-time attribute release, where an [SP](/page/SP) queries for user attributes (e.g., roles or entitlements) only when needed for [access](/page/Access) decisions, thereby supporting fine-grained [authorization](/page/Authorization) without storing sensitive [data](/page/Data) locally.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) Another application is auditing and validation, such as retrieving a specific assertion by [ID](/page/ID) to verify past [authentication](/page/Authentication) events or [compliance](/page/Compliance) in federated environments.[](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) These scenarios enhance [privacy](/page/Privacy) by limiting attribute disclosure to authenticated, on-demand requests while enabling scalable [identity management](/page/Identity_management) across domains.[](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html)

## Metadata

### Metadata Overview

SAML 2.0 metadata consists of extensible XML documents that describe the configuration and capabilities of entities participating in SAML federations, facilitating automated setup and trust verification without manual intervention.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) These documents organize information by roles that align with SAML profiles, enabling entities to advertise supported protocols, endpoints, and security keys.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf)

The core structure of SAML metadata revolves around two primary elements: EntitiesDescriptor and EntityDescriptor. EntitiesDescriptor serves as a container for aggregating multiple EntityDescriptor elements, with optional attributes such as [ID](/page/ID) for [unique](/page/Unique) [identification](/page/Identification), validUntil for expiration, cacheDuration for caching instructions, and Name for labeling the collection.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) In contrast, EntityDescriptor defines a single SAML entity, requiring an entityID attribute as a [unique](/page/Unique) URI identifier, alongside optional attributes like [ID](/page/ID), validUntil, and cacheDuration.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf)

Key elements within these descriptors include role descriptors, endpoints, and key information. Role descriptors, such as SPSSODescriptor and IDPSSODescriptor, specify the entity's supported roles and protocols via the protocolSupportEnumeration attribute.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) Endpoints, defined using the EndpointType, detail locations for protocol interactions, for example, the SingleSignOnService endpoint for [authentication](/page/Authentication) requests.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) The KeyDescriptor element encapsulates public keys or [X.509](/page/X.509) certificates, with an optional use attribute indicating purposes like signing or [encryption](/page/Encryption), to establish cryptographic [trust](/page/Trust).[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf)

Metadata exchange can occur out-of-band through manual methods, dynamically via HTTP GET or POST requests to a metadata publication endpoint, or with XML digital signatures to ensure authenticity and integrity.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) This approach automates federation configuration by allowing entities to discover and validate each other's details programmatically, while enabling trust relationships through verified X.509 certificates or raw public keys, as further detailed in security considerations for signing practices.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf)

### Identity Provider Metadata

Identity Provider (IdP) metadata in SAML 2.0 provides a standardized XML-based description of the services, endpoints, and capabilities offered by an [IdP](/page/IDP) entity, enabling automated configuration and trust establishment between SAML participants.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) This metadata is encapsulated within the `<IDPSSODescriptor>` element, which extends the base `<SSODescriptorType>` and declares support for the SAML 2.0 [protocol](/page/Protocol) through the `protocolSupportEnumeration` attribute, typically set to `urn:oasis:names:tc:SAML:2.0:[protocol](/page/Protocol)`.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) The descriptor outlines the IdP's role in [single sign-on](/page/Single_sign-on) (SSO) and related profiles, such as authentication requests and attribute exchange, without including service provider-specific details.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf)

The `<IDPSSODescriptor>` includes optional attributes like `WantAuthnRequestsSigned`, a [boolean](/page/Boolean) (defaulting to `false`) that specifies whether incoming [authentication](/page/Authentication) requests must be signed by the [relying party](/page/Relying_party).[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) Core endpoints are defined via child elements: `<SingleSignOnService>` (required, one or more instances) specifies locations for SSO responses using bindings such as HTTP Redirect (`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`) or HTTP [POST](/page/Post-) (`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST`), with mandatory `Binding` and `Location` attributes providing the [protocol](/page/Protocol) URI and endpoint [URL](/page/URL), respectively.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) Similarly, `<NameIDMappingService>` (zero or more) and `<AttributeService>` (zero or more) define endpoints for the Name Identifier Mapping and Attribute Query profiles, each with `Binding` and `Location` attributes to support name identifier transformations and attribute retrieval operations.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf)

Supported capabilities are enumerated through elements like `<SupportedNameIDFormats>` (zero or more `anyURI` values), which lists acceptable name identifier formats such as `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` or `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) The `<AttributeProfile>` element (zero or more `anyURI`) indicates supported attribute profiles, for example, those aligned with [XACML](/page/XACML) for policy-based attribute release.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) Authentication contexts offered by the [IdP](/page/IDP) are detailed via the `<AuthnContextClassRef>` elements within supported contexts, referencing URIs like `urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport` to declare methods such as password or certificate-based authentication.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf)

Administrative information is provided through the optional `<Organization>` element, which uses `<OrganizationName>` and `<OrganizationDisplayName>` (localized strings) along with `<OrganizationURL>` to identify the IdP's owning entity in multiple languages.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) Complementing this, one or more `<ContactPerson>` elements offer contact details, each with a required `contactType` attribute (e.g., `technical` or `support`) and sub-elements like `<GivenName>`, `<SurName>`, `<EmailAddress>`, and `<TelephoneNumber>` for operational support.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf)

Cryptographic material is handled by zero or more `<KeyDescriptor>` elements, each with an optional `use` attribute (`signing`, `encryption`, or both) and containing a `<ds:KeyInfo>` from the XML Signature standard to specify certificates or key names for signing assertions or encrypting data.[](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) For example, an IdP might include:

```xml
<KeyDescriptor use="signing">
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>MII...</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</KeyDescriptor>
This structure facilitates secure without manual configuration. Overall, metadata ensures interoperability by standardizing the declaration of SSO endpoints and supported features, as utilized in profiles like Web Browser SSO.

Service Provider Metadata

(SP) metadata in SAML 2.0 describes the configuration and capabilities of an SP entity that consumes assertions from an (), enabling automated setup without manual configuration. The core element for this role is the <SPSSODescriptor>, which extends the <SSODescriptorType> and outlines services for (SSO) assertion consumption. This metadata is typically published as an XML document signed for integrity, allowing IdPs to discover and trust SP endpoints. The <AssertionConsumerService> element specifies the endpoints where the SP receives SAML assertions, supporting profiles like Web Browser SSO. It is an indexed of type IndexedEndpointType and must appear one or more times within <SPSSODescriptor>. Key attributes include:
  • index (required, unsigned short): A unique integer identifier for referencing the endpoint in SAML messages.
  • binding (required, anyURI): The SAML URI, such as urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST for POST-based assertion delivery.
  • Location (required, anyURI): The HTTP(S) URI of the assertion consumer service (ACS) .
Optional attributes like isDefault (boolean) can mark a primary endpoint, and additional ones such as ResponseLocation may specify separate response locations for certain bindings. For example, an SP might define multiple ACS endpoints for different bindings to accommodate various SSO flows. The <SingleLogoutService> element defines endpoints for receiving single logout requests and responses, integrating with the Single Logout protocol. It appears zero or more times and uses EndpointType, with required attributes:
  • Binding (anyURI): The logout binding, e.g., urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect.
  • Location (anyURI): The URI for logout messages.
An optional ResponseLocation attribute allows specifying a dedicated response endpoint. This enables IdPs to initiate logout at the SP during federated sessions. Attribute requirements are detailed in the <AttributeConsumingService> element, which describes sets of attributes the SP requests from the IdP, appearing zero or more times with a required index (unsigned short) for selection in authentication requests. Each instance includes:
  • <ServiceName> (one or more): Human-readable names for the service, qualified by language (e.g., xml:lang="en").
  • <ServiceDescription> (zero or more): Descriptive text, also language-qualified.
  • <RequestedAttribute> (one or more): Extends saml:AttributeType with an optional isRequired (boolean) flag to indicate mandatory attributes like urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified for user identifiers.
An optional isDefault attribute (boolean) identifies the primary set. This structure allows SPs to specify context-specific attribute needs, such as basic profile data for employee portals versus detailed attributes for customer applications. Supported NameID formats for incoming assertions are enumerated via zero or more <NameIDFormat> child elements of <SPSSODescriptor>, each a anyURI value like urn:oasis:names:tc:SAML:2.0:nameid-format:persistent for pseudonymous identifiers or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. These indicate the subject identifier formats the SP can process, as defined in the SAML Core specification. Protocol support is declared in the required protocolSupportEnumeration attribute of <SPSSODescriptor>, a whitespace-separated list of URIs including at least urn:oasis:names:tc:SAML:2.0:protocol for SAML 2.0 compatibility. This attribute signals support for specific SAML versions and, indirectly, authentication contexts via referenced profiles in the SAML Profiles specification. Additional attributes like AuthnRequestsSigned (optional boolean) indicate if the SP requires signed authentication requests, and WantAssertionsSigned specifies the desire for signed assertions. The following XML snippet illustrates a basic <SPSSODescriptor> structure: 
xml
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
  <KeyDescriptor use="signing">
    <!-- Certificate details -->
  </KeyDescriptor>
  <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
  <AssertionConsumerService index="1" isDefault="true" 
    binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    Location="https://sp.example.com/acs"/>
  <AttributeConsumingService index="1" isDefault="true">
    <ServiceName xml:lang="en">Default Service</ServiceName>
    <RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.1" 
      isRequired="true" FriendlyName="uid"/>
  </AttributeConsumingService>
  <SingleLogoutService binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
    Location="https://sp.example.com/slo"/>
</SPSSODescriptor>

Security Considerations

Common Vulnerabilities

One of the most prevalent vulnerabilities in SAML 2.0 implementations is XML signature wrapping (XSW), where attackers manipulate the XML structure of SAML assertions or responses by inserting unauthorized elements outside the signed portion, thereby altering the message's meaning while preserving the validity of the digital signature. This attack exploits weaknesses in XML parsing and signature validation, allowing modifications such as changing the recipient or attributes without detection if the service provider does not strictly enforce signature boundaries. Variations include external and internal entity wrapping, which have been demonstrated in multiple implementations since the protocol's adoption. Replay attacks pose another significant threat, occurring when an attacker intercepts a valid SAML assertion and resubmits it to the after its intended validity period, bypassing if expiration checks or validation are inadequately implemented. SAML assertions typically include timestamps and conditions to prevent this, but incomplete verification in bindings like HTTP-Redirect or HTTP-POST can enable reuse, especially in scenarios without session binding. Recent common vulnerabilities and exposures (CVEs) highlight ongoing implementation flaws in popular SAML libraries. For instance, CVE-2025-54419 (disclosed July 2025) in the Node-SAML library allows attackers to modify authentication details within a valid SAML assertion, such as altering the username or attributes, due to improper signature validation on responses. Similarly, CVE-2025-40758 (disclosed August 2025) in the Mendix SAML module enables signature bypass, permitting unauthenticated remote attackers to hijack accounts in specific single sign-on configurations by exploiting validation weaknesses. More recently, as of November 2025, CVE-2025-46404 in certain SAML implementations allows denial-of-service attacks via specially crafted malformed SAML responses, and CVE-2025-47151 involves parsing flaws in SAML libraries that could lead to similar disruptions. These issues underscore risks in JavaScript and enterprise platform integrations, where partial signature checks fail to cover all critical elements. Man-in-the-middle (MitM) attacks can compromise SAML exchanges when unencrypted HTTP bindings are used instead of secure , allowing interception and alteration of assertions in transit. Additionally, weak predictability in NameID formats, such as persistent or transient identifiers that can be guessed or correlated across sessions, may expose user identities to privacy violations or targeted attacks if not obfuscated properly. In profile-specific contexts, the Discovery Profile is susceptible to open redirect vulnerabilities, where unvalidated return URLs in redirection-based discovery flows enable or unauthorized endpoint navigation. Attribute injection attacks further exploit flaws in assertion processing, allowing attackers to insert or modify attributes like via XML injection in poorly sanitized templates, leading to unauthorized if validation is lax.

Mitigation Strategies

To mitigate vulnerabilities in SAML 2.0 implementations, service providers (SPs) and identity providers (IdPs) must enforce strict XML processing rules, including the use of exclusive during validation to handle variations and prevent manipulation attacks. This involves applying the exclusive XML algorithm (as defined in ) when verifying on assertions, responses, and requests, while also performing schema validation on incoming XML documents prior to any checks to ensure structural . Additionally, SPs should configure validation to use trusted keys from local stores or metadata, ignoring untrusted KeyInfo elements to avoid key substitution risks. Assertion security can be strengthened by implementing short validity lifetimes, typically limited to a few minutes, to reduce the window for replay or interception attacks; must strictly reject any assertion exceeding its NotBefore or NotOnOrAfter conditions. restrictions should be validated to confirm that the assertion's element matches the SP's entity , preventing unauthorized use across federations. For higher assurance levels, holder-of-key (HOK) subject confirmation should be employed, where the assertion includes a key that the presenter must prove possession of, such as through a subsequent TLS client or artifact resolution, thereby binding the assertion to the specific holder. Secure protocol bindings are essential, with all SAML exchanges mandating (TLS 1.2 or higher) to protect against man-in-the-middle and threats, using v3 certificates for endpoint authentication. In the HTTP Redirect or bindings, the RelayState parameter must be validated against a of permitted URLs to block open redirect attacks, and it should be integrity-protected if carrying sensitive data. Artifacts used in the Artifact Binding profile require digital signatures for both issuance and resolution requests, while exchanged between entities must be signed and retrieved over TLS-secured channels to establish trust anchors. Operational best practices further enhance resilience, including configuring tolerance to less than 5 minutes by synchronizing system clocks to like NTP, ensuring timely validation of assertion timestamps without excessive leniency. IdPs and SPs should maintain comprehensive audit logs of all assertion queries, validations, and events to support incident response and , retaining logs for an appropriate period based on policy. Regular key rotation is critical, with signing and keys managed via a (PKI), rotated at least annually or immediately upon compromise detection, and unique per-federation pair where feasible to limit . Finally, deployments should rely on validated, open-source or commercially audited libraries (e.g., OpenSAML or equivalent) that implement SAML 2.0 conformantly, with regular updates to address known issues. Entity validation must draw from signed to confirm peer identities, endpoints, and keys before processing messages, establishing a without manual configuration.

References

  1. [1]
    [PDF] saml-core-2.0-os.pdf - Index of /
    Status: This is an OASIS Standard document produced by the Security Services Technical Committee. It was approved by the OASIS membership on 1 ...
  2. [2]
    Security Assertion Markup Language (SAML) V2.0 Technical Overview
    The OASIS SSTC has produced numerous documents related to SAML V2.0. This includes documents that make up the official OASIS standard itself, outreach material ...Drivers of SAML Adoption · SAML Components · Privacy in SAML · Security in SAML
  3. [3]
    What is SAML (Security Assertion Markup Language)? - TechTarget
    Jan 24, 2025 · SAML's main purpose is to define the markup language used to standardize the encoding of authentication data for exchange between systems.
  4. [4]
    [PDF] draft-sstc-glossary-00 - OASIS Open
    Jul 16, 2001 · Date. By Whom. What. 21 Jan ... This document comprises an overall glossary for the OASIS Security Services Technical Committee (SSTC) and.
  5. [5]
    [PDF] Liberty Alliance Project - 3GPP
    What is the Liberty. Alliance ? •. A business alliance, formed in Sept 2001 with the ... ** See archived Liberty Webinar for more SAML information. Liberty ...
  6. [6]
    SAML 2: The Building Blocks of Federated Identity - XML.com
    Jan 12, 2005 · What Is SAML's History? SAML 1.0 became an OASIS standard in November 2002, SAML 1.1 followed in September 2003. SAML has seen significant ...Missing: 2001 | Show results with:2001
  7. [7]
    [PDF] Metadata for the OASIS Security Assertion Markup Language (SAML ...
    This is an OASIS Standard document produced by the Security Services Technical Committee. It was approved by the OASIS membership on 1 March ...Missing: ratification | Show results with:ratification<|control11|><|separator|>
  8. [8]
    Differences Between SAML V2.0 and Liberty ID-FF 1.2
    Jan 23, 2008 · SAML V2.0 enhancements include features derived from the Liberty Alliance Identity Federation Framework (ID-FF) V1.2 specifications that ...
  9. [9]
    From federation to fabric: IAM's evolution - IBM
    SAML 2.0: A circle of trust. By the mid-2000s, threads of research and development (R&D) were coming to fruition, with WS Federation, Liberty Alliance's ID ...
  10. [10]
    SAML Specifications - XML.org
    Oct 22, 2007 · SAML version 2.0 was approved as an OASIS Standard in March 2005. The complete SAML 2.0 OASIS Standard set (PDF format) and schema files are ...
  11. [11]
    [PDF] Security Assertion Markup Language (SAML) V2.0 Technical Overview
    Mar 25, 2008 · security information between online business partners. This document provides a technical description of SAML V2.0. Status:.
  12. [12]
    [PDF] Bindings for the OASIS Security Assertion Markup Language (SAML ...
    Mar 15, 2005 · This specification defines protocol bindings for the use of SAML assertions and request-response messages in communications protocols and ...<|control11|><|separator|>
  13. [13]
    [PDF] Profiles for the OASIS Security Assertion Markup Language (SAML ...
    Mar 15, 2005 · This specification defines profiles for the use of SAML assertions and request-response messages in communications protocols and frameworks, as ...
  14. [14]
    SAML V2.0 Enhanced Client or Proxy Profile Version 2.0 - Index of /
    Aug 26, 2013 · The SAML V2.0 Enhanced Client or Proxy profile is a SSO profile for use with HTTP, and clients with the capability to directly contact a principal's identity ...Profile Overview. 9 · Service Provider Issues <samlp:AuthnRequest> to...
  15. [15]
    [PDF] SAML V2.0 - Security and Privacy Considerations for the OASIS ...
    Mar 15, 2005 · This non-normative document summarizes general security issues and approaches as well as specific threats and countermeasures for the use of ...
  16. [16]
    SAML Security - OWASP Cheat Sheet Series
    Vulnerabilities in SAML implementations due to XML Signature Wrapping attacks ... However SAML based federation or SSO is commonly used inside of an organization.
  17. [17]
    Common SAML vulnerabilities and how to remediate them - Snyk
    Dec 19, 2023 · XML signature wrapping is a vulnerability that exploits weaknesses ... SAML messages, by default, can be vulnerable to replay attacks.
  18. [18]
    Attacking SSO: Common SAML Vulnerabilities and Ways to Find Them
    Mar 7, 2017 · The following are eight of the most common XML Signature Wrapping attacks. You can edit the original SAML file manually to perform these ...
  19. [19]
    Node-SAML CVE-2025-54419: Brief Summary of Critical ... - ZeroPath
    Jul 28, 2025 · This architectural flaw allows an attacker to modify authentication attributes (such as the username) in the SAML assertion without invalidating ...
  20. [20]
    CVE-2025-40758 Detail - NVD
    Aug 14, 2025 · This CVE record has been marked for NVD enrichment efforts. Description. A vulnerability has been identified in Mendix SAML (Mendix 10.12 ...Missing: Node- bypass assertion
  21. [21]
    Siemens Mendix SAML Module | CISA
    Aug 19, 2025 · As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial ...Missing: Node- assertion modification
  22. [22]
    sstc-saml-idp-discovery-cs-01.html - OASIS Open
    Mar 27, 2008 · This specification is an alternative to the SAML V2.0 Identity Provider Discovery profile in the SAML V2.0 Profiles specification [SAML2Prof].
  23. [23]
    SAML: How it Works, Vulnerabilities and Common Attacks - Vaadata
    Jul 19, 2024 · This article takes an in-depth look at the principles and operation of SAML. We will also present the common vulnerabilities and attacks to which it can be ...Missing: bindings NameID discovery
  24. [24]
    SAML XML Injection - NCC Group
    Mar 29, 2021 · This type of vulnerability is most commonly seen in SAML identity providers that naively use string templates to build the SAML XML messages.Identifying The... · Example Exploits · Attribute InjectionsMissing: weak predictability
  25. [25]
    [DOC] XML Signature Guidelines - OASIS Open
    ▫​ When possible, use the Exclusive Canonicalization algorithm when signing SAML assertions, requests, or responses, especially if the SAML object may be signed ...
  26. [26]
    None
    Summary of each segment: