Security Glossary

Security Assertion Markup Language (SAML)

An XML-based open standard for exchanging authentication and authorization data between an identity provider and a service provider for single sign-on.

Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between security domains. It is the dominant protocol for enterprise single sign-on (SSO), letting a user authenticate once and access many applications without re-entering credentials.

The IdP / SP / Assertion Triad

  • Identity Provider (IdP): authenticates the user and issues signed assertions.
  • Service Provider (SP): the application that trusts the IdP and consumes assertions to create a session.
  • Assertion: the signed XML statement about the user (identity, attributes, validity conditions) that the SP relies on.

Trust between IdP and SP is established out of band by exchanging metadata (entity IDs, endpoint URLs, and signing certificates), and assertions are carried over bindings such as HTTP POST and Redirect.

SP-Initiated vs IdP-Initiated

In an SP-initiated flow the user starts at the SP, which redirects to the IdP with a SAMLRequest and later correlates the reply via InResponseTo. In an IdP-initiated flow the user starts at the IdP portal and the IdP posts an unsolicited SAMLResponse to the SP with no prior request. The SP-initiated flow is preferred because the request correlation blocks replay and CSRF.

Where Things Go Wrong

SAML security failures cluster around trusting XML that was not properly signed or not properly scoped:

  • XML Signature Wrapping and missing or partial signature validation
  • Weak assertion scoping (Audience/Recipient) enabling cross-SP replay
  • NameID comment injection and XXE during parsing

PentesterLab Exercises

See Also