← Lessons

quiz vs the machine

Gold1420

Security

Single Sign On with SAML

How signed XML assertions let one identity provider log a user into many apps.

5 min read · core · beat Gold to climb

One Login for Many Apps

Single sign on lets a user authenticate once and access many applications. SAML is a long standing standard for this, common in enterprises. It defines two roles:

  • The identity provider authenticates the user and issues assertions.
  • The service provider is the application the user wants to reach.

When a user visits a service provider, they are redirected to the identity provider, which authenticates them and returns a signed assertion describing who they are.

Why the Signature Matters

The assertion is XML signed by the identity provider. The service provider trusts it only if the signature validates against the provider public key. This is the heart of SAML security, and also its most common weakness.

  • Always validate the signature and the signing certificate.
  • Check the assertion audience so a token for one app is not accepted by another.
  • Enforce time bounds so expired or future dated assertions are rejected.

A frequent flaw is parsing the assertion before verifying its signature, which has enabled real world bypasses.

Key idea

SAML single sign on lets an identity provider issue signed XML assertions that service providers trust, so the security rests on strictly validating the signature, audience, and time bounds before honoring any assertion.

Check yourself

Answer to earn rating on the learn ladder.

1. What makes a SAML assertion trustworthy to a service provider?

2. Why check the assertion audience?

3. What is a classic SAML implementation flaw?