SAML Blog Series (Part 3): Advanced Guide
Overview
Advanced topics:
- XML Assertions
- Signing
- Security
- Logout (SLO)
- SAML vs OIDC
SAML Assertion
<saml:Assertion>
<Issuer>IdP</Issuer>
<Subject>
<NameID>user@example.com</NameID>
</Subject>
<Conditions NotBefore="T1" NotOnOrAfter="T2" />
<AuthnStatement AuthnInstant="T3" />
<AttributeStatement>
<Attribute Name="role">admin</Attribute>
</AttributeStatement>
</saml:Assertion>
Architecture
User -> SP -> IdP -> SP -> Session
Full flow:
User
|
v
Service Provider
|
v
Identity Provider
|
v
Signed Assertion
|
v
SP Validation
|
v
Session Created
Digital Signatures
- IdP creates assertion
- Hash generated
- Signed with private key
- Verified using public cert
Security
- Expiry enforcement
- Audience restriction
- Replay protection
- Clock skew handling
Single Logout (SLO)
User logout
|
v
SP sends LogoutRequest
|
v
IdP ends session
|
v
Optional: notify other SPs
SAML vs OIDC
| SAML | OIDC |
|---|---|
| XML | JSON |
| Browser-based | API-friendly |
| Enterprise SSO | Modern apps |
Key Takeaway
SAML is a trust-based identity system using signed, short-lived assertions.