Security Glossary

SAMLRequest

An XML message sent by a service provider to an identity provider to initiate the authentication process for a user.

SAMLRequest (AuthnRequest) is an XML message generated by the Service Provider to initiate user authentication at the Identity Provider. It's typically sent via HTTP Redirect or POST binding.

Request Structure

<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="_abc123"
    Version="2.0"
    IssueInstant="2024-01-15T10:30:00Z"
    Destination="https://idp.example.com/sso"
    AssertionConsumerServiceURL="https://sp.example.com/acs"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">

  <saml:Issuer>https://sp.example.com</saml:Issuer>

  <samlp:NameIDPolicy
      Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
      AllowCreate="true"/>
</samlp:AuthnRequest>

Transmission

// HTTP-Redirect Binding
// Request is deflated, base64-encoded, and URL-encoded
GET /sso?SAMLRequest=fZJNT8MwDI...&RelayState=/dashboard

// HTTP-POST Binding
<form method="POST" action="https://idp.example.com/sso">
  <input type="hidden" name="SAMLRequest" value="PHNhbWxw..."/>
  <input type="hidden" name="RelayState" value="/dashboard"/>
</form>

Key Elements

  • ID: Unique request identifier (linked to response)
  • Issuer: SP's entity ID
  • Destination: IdP's SSO endpoint
  • ACS URL: Where to send the response
  • RelayState: Original URL user was accessing

Security Considerations

  • IdP should validate Issuer against known SPs
  • Signed requests recommended for sensitive apps
  • Validate ACS URL against SP metadata

See Also