SAML Service Provider (SP)

SAML Service Provider (SP) is the application or service that relies on an external Identity Provider for user authentication. The SP trusts assertions from configured IdPs and grants access based on the identity information they provide.

SP Responsibilities

• Generate authentication requests (SAMLRequest)
• Receive and validate SAML responses
• Verify digital signatures on assertions
• Extract user identity from assertions
• Create local sessions for authenticated users

SP-Initiated Flow

// 1. User accesses protected resource
GET /dashboard

// 2. SP redirects to IdP with SAMLRequest
HTTP 302 Redirect
Location: https://idp.example.com/sso?SAMLRequest=...

// 3. After IdP authentication, SP receives response at ACS URL
POST /saml/acs
SAMLResponse=PHNhbWxwOlJlc3Bvb...

// 4. SP validates and creates session
Set-Cookie: session=...

SP Configuration

// SP Metadata includes:
- Entity ID (unique identifier)
- Assertion Consumer Service (ACS) URL
- Single Logout Service URL
- X.509 certificate for signature validation
- Supported bindings (POST, Redirect)

Security Considerations

• Validate signature on ALL assertions
• Check NotBefore and NotOnOrAfter conditions
• Verify Destination matches ACS URL
• Check InResponseTo matches original request
• Prevent assertion replay (track used assertion IDs)

See Also

• SAML
• SAML Identity Provider (IdP)
• SAML Assertion