SAMLResponse

SAMLResponse is an XML message sent from the Identity Provider to the Service Provider after user authentication. It contains one or more assertions with the user's identity information and is typically sent via HTTP POST to the SP's Assertion Consumer Service (ACS) URL.

Response Structure

<samlp:Response
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="_response123"
    Version="2.0"
    IssueInstant="2024-01-15T10:30:00Z"
    Destination="https://sp.example.com/acs"
    InResponseTo="_request456">

  <saml:Issuer>https://idp.example.com</saml:Issuer>

  <ds:Signature>...</ds:Signature>

  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>

  <saml:Assertion>
    <!-- Signed assertion with user info -->
  </saml:Assertion>
</samlp:Response>

Transmission

// HTTP-POST to ACS URL
POST /saml/acs
Content-Type: application/x-www-form-urlencoded

SAMLResponse=PHNhbWxwOlJlc3BvbnNl...&RelayState=/dashboard

Validation Checklist

• Verify signature on Response and/or Assertion
• Check Status is Success
• Validate InResponseTo matches original request ID
• Verify Destination matches ACS URL
• Check all time-based conditions
• Verify Issuer is trusted IdP

Common Vulnerabilities

• Missing signature validation
• Signature on Response but not Assertion (signature wrapping)
• Comment injection in NameID

See Also

• SAML
• SAMLRequest
• SAML Assertion