SAML · Auth Standards Deep Dive

Quick Facts

What SAML Is

Basic Concepts

Origin: SAML 2.0 ratified in 2005. Predates OAuth/OIDC by years.
XML, signed and optionally encrypted. Assertions are XML documents, signed with XML-DSig.
Three roles: Identity Provider (IdP — Okta, Azure AD, ADFS), Service Provider (SP — your app), and the user.
Two flows: SP-initiated (user clicks login on your app, you redirect to IdP) and IdP-initiated (user clicks your app's tile in the IdP's portal).
Bindings: how messages travel — HTTP-Redirect (URL params for short messages), HTTP-POST (form auto-submit for assertions), HTTP-Artifact (back-channel).
Metadata XML describes endpoints and signing certificates. SP and IdP exchange metadata once at integration time.

The Flow

SP-Initiated Login

User hits your app's login page; your app generates an AuthnRequest (XML) and redirects them to the IdP.
User authenticates at the IdP (password, MFA, however the company set it up).
IdP generates a SAML assertion — signed XML with the user's identity, attributes, and conditions (audience, validity window).
IdP HTTP-POSTs the assertion to your app's Assertion Consumer Service (ACS) URL via a hidden form auto-submitted in the browser.
Your app verifies the signature, checks Audience, NotOnOrAfter, InResponseTo, then issues its own session.

Where It Goes Wrong

The Famous Pitfalls

XML Signature Wrapping

The famous SAML attack class. The assertion is signed, but the verifier looks at one part of the document and reads identity from another. Carefully crafted XML can have a valid signature on a benign element and an attacker-controlled identity elsewhere — the parser and the verifier disagree.

Fix: use a vetted SAML library (OneLogin's, ITfoxtec, OpenSAML, SAPI). Don't parse SAML XML by hand. Configure the library to canonicalize, then verify, then read claims — and verify that the identity it reads is from the signed portion.

Missing Audience Check

An assertion intended for one SP can be replayed at another if the receiver doesn't check Audience. Always verify Audience matches your SP entity ID exactly.

Replay Without InResponseTo

SP-initiated flows must verify the assertion's InResponseTo matches the original AuthnRequest ID stored in the user's session. Without it, a captured assertion can be replayed at the user's browser to log them in as the original user — or worse, to a different SP.

Lax Clock Skew

NotBefore and NotOnOrAfter windows must be honored. Some libraries default to a generous skew (5+ minutes) for "compatibility." Tighten it; an old assertion is a useful tool for an attacker.

IdP-Initiated Flows Are Inherently Riskier

Without an AuthnRequest the SP started, you can't bind the assertion to a session. Some implementations allow IdP-initiated flows by accepting any unsolicited valid assertion — this opens replay and CSRF-flavored attacks. Disable unless required; if required, generate a session token strictly tied to the assertion's instant.

Decision

SAML vs OIDC

	SAML	OIDC
Format	XML, signed	JSON, signed
Mobile / SPA fit	Awkward	Native
Tooling	Heavy, library-required	Many libraries, simple flows
Discovery	Metadata XML exchange	`/.well-known/openid-configuration`
Where you'll meet it	Big enterprises, ADFS, Shibboleth, education	Everything new
Implementation risk	High — XML signature pitfalls	Lower with vetted libraries

Recommendation for B2B SaaS: support both. Implement OIDC first (most modern customers); add SAML when an enterprise deal demands it. Use a service like WorkOS, SSOReady, Cloudflare Zero Trust, Okta SSO Service to abstract SAML's pain — they translate every customer's IdP into a clean OIDC-style API for your app.

Continue

Other Auth Standards

← OAuth 2.0 ← OpenID Connect JWT → MFA / 2FA → Passkeys / WebAuthn → ↑ Back to Security