SAMLRequest

SAMLRequest (AuthnRequest) is an XML message generated by the Service Provider to initiate user authentication at the Identity Provider. It's typically sent via HTTP Redirect or POST binding.

Request Structure

<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="_abc123"
    Version="2.0"
    IssueInstant="2024-01-15T10:30:00Z"
    Destination="https://idp.example.com/sso"
    AssertionConsumerServiceURL="https://sp.example.com/acs"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">

  <saml:Issuer>https://sp.example.com</saml:Issuer>

  <samlp:NameIDPolicy
      Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
      AllowCreate="true"/>
</samlp:AuthnRequest>

Transmission

// HTTP-Redirect Binding
// Request is deflated, base64-encoded, and URL-encoded
GET /sso?SAMLRequest=fZJNT8MwDI...&RelayState=/dashboard

// HTTP-POST Binding
<form method="POST" action="https://idp.example.com/sso">
  <input type="hidden" name="SAMLRequest" value="PHNhbWxw..."/>
  <input type="hidden" name="RelayState" value="/dashboard"/>
</form>

Key Elements

• ID: Unique request identifier (linked to response)
• Issuer: SP's entity ID
• Destination: IdP's SSO endpoint
• ACS URL: Where to send the response
• RelayState: Original URL user was accessing

Security Considerations

• IdP should validate Issuer against known SPs
• Signed requests recommended for sensitive apps
• Validate ACS URL against SP metadata

See Also

• SAML
• SAMLResponse
• SAML Service Provider (SP)