# SAML examples
Page contents
# AuthnRequest
To initiate an authentication process, you send an AuthnRequest to Signicat.
# AuthnRequest basic example
This example contains a basic SAML AuthnRequest. You can always add additional information in the request, but the bare minimum request can look like:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AttributeConsumingServiceIndex="1"
Destination="https://yourdomain/broker/sp/saml/login" ForceAuthn="true"
ID="_b6a016332e19a825bb42917c9870c93a" IssueInstant="2021-03-09T10:26:17.210Z"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
yourEntityID
</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
... XML Signature ...
</ds:Signature>
</saml2p:AuthnRequest>
# AuthnRequest example with language
The following example shows how to specify the language as an attribute:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AttributeConsumingServiceIndex="1"
Destination="https://yourdomain/broker/sp/saml/login" ForceAuthn="true"
ID="_b6a016332e19a825bb42917c9870c93a" IssueInstant="2021-03-09T10:26:17.210Z"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
yourEntityID
</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
... XML Signature ...
</ds:Signature>
<saml2p:Extensions xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<req-attr:RequestedAttributes xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr">
<md:RequestedAttribute xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Name="signicat:param:language" isRequired="true">
<saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">no</saml2:AttributeValue>
</md:RequestedAttribute>
</req-attr:RequestedAttributes>
</saml2p:Extensions>
</saml2p:AuthnRequest>
# AuthnRequest example REDIRECT binding with prefilled attributes
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AttributeConsumingServiceIndex="1"
Destination="https://yourdomain/broker/sp/saml/login" ForceAuthn="true"
ID="_b6a016332e19a825bb42917c9870c93a" IssueInstant="2021-03-09T10:26:17.210Z"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
yourEntityID
</saml2:Issuer>
<samlp:Extensions>
<req-attr:RequestedAttributes>
<md:RequestedAttribute isRequired="true"
Name="firstName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
...
<md:RequestedAttribute Name="signicat:prefilled:subject">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">subject@example.com</saml:AttributeValue>
</md:RequestedAttribute>
<md:RequestedAttribute isRequired="false"
Name="signicat:prefilled:phone">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">1234567890</saml:AttributeValue>
</md:RequestedAttribute>
</req-attr:RequestedAttributes>
</samlp:Extensions>
</saml2p:AuthnRequest>
# AuthnRequest with IdP discovery
If you have more than one ID method configured in your Signicat account, you can use IdP discovery to route the end-user to a specific ID method for authentication, therefore skipping the ID method selection screen where typically the end-user can choose their preferred ID method (from all the methods active in your account). This feature is also known as IdP scoping or IdP routing rules.
With IdP discovery, you can define logic to determine two aspects of an authentication flow:
- ID method discovery: You can define which ID method to use, such as iDIN or Norwegian BankID.
- Provider discovery: You can specify the entity or provider (such as a bank) for an ID method. For example, for iDIN you can choose to route end-user only to one of the banks. Note that this functionality is limited to certain ID methods only.
To control which ID method to display to your end-users, you can specify the IdP in the IDPEntry field, as shown below:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AttributeConsumingServiceIndex="1"
Destination="https://yourdomain/broker/sp/saml/login" ForceAuthn="false"
ID="_aeaf5a7ddbc280bde07a1024f0574b70" IssueInstant="2021-03-09T10:47:58.502Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
yourEntityId
</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...XML Signature ...
</ds:Signature>
<saml2p:Scoping>
<saml2p:IDPList>
<saml2p:IDPEntry ProviderID="ftn"/>
</saml2p:IDPList>
</saml2p:Scoping>
</saml2p:AuthnRequest>
You can find an overview of the values for each ID method at https://<YOUR_SIGNICAT_DOMAIN>/broker/idps. Use the value of internalName.
If you define only one ID method in the payload, the end-user is routed to the IdP-specific authentication page, automatically skipping the IdP selection screen during authentication.
To let the end-user choose among a subset of ID methods active in your account, specify multiple values with the IDPEntry field.
::: Provider discovery
Certain ID methods are comprised of a network of identity providers (or issuers), such as banks, that collectively offer authentication to their customers. You may want to offer your end-users only a limited number of these providers when the end-users authenticate with an ID method.
To find out how to control this setting in your SAML 2.0 requests, see the SAML Requested Attributes page.
:::
# AuthnRequest with RequestedAuthnContext and with REDIRECT binding
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://yourspdomain/acs"
AttributeConsumingServiceIndex="0" Destination="https://yourbrokerdomain/broker/sp/saml/login"
ForceAuthn="true" ID="_7457921E6AA91C24CC1FEDBFBF763618" IsPassive="false"
IssueInstant="2021-03-09T10:53:19Z" Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>yourEntityId</saml:Issuer>
<samlp:RequestedAuthnContext Comparison="minimum">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
# AuthnResponse
At the end of an authentication flow, the identity provider sends a SAML AuthnResponse to the service provider. In this case, Signicat sends you an AuthnResponse at the end of an end-user authentication flow. If the end-user authentication is successful, the response contains the Assertion with the NameID and attributes of the end-user.
# AuthnResponse example with DigiD
Example of a SAML response after end-user login with DigiD:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://yourDomain/broker/authn/saml/acs" ID="_04ace7e4085e09ac84e6b99be926c5ac" InResponseTo="_5cd72f201985cf4261e0224ac32638e2" IssueInstant="2023-12-12T16:27:06.399Z" Version="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://yourBrokerDomain/auth/saml</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7ab99d298dc73af395150d8367bf8bcd" IssueInstant="2023-12-12T16:27:06.424Z" Version="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer>https://yourBrokerDomain/auth/saml</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="https://was-preprod1.digid.nl/saml/idp/metadata">n8ek7xaPjR6XOGseV-NI9MJvLH6Zf2ciWC0gSEuLo5A=</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_5cd72f201985cf4261e0224ac32638e2" NotOnOrAfter="2023-12-12T16:29:06.424Z" Recipient="https://yourDomain/broker/authn/saml/acs"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2023-12-12T16:27:01.424Z" NotOnOrAfter="2023-12-12T16:29:06.424Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://yourDomain/broker/authn/saml</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AttributeStatement>
<saml2:Attribute Name="nin">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">900234854</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="nin.issuingCountry">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">NL</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="nin.type">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">PERSON</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AuthnStatement AuthnInstant="2023-12-12T16:27:06.425Z" SessionIndex="a749063e-b11a-4e2b-beee-927a9f132446">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority>https://was-preprod1.digid.nl/saml/idp/metadata</saml2:AuthenticatingAuthority>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
# AuthnResponse example with eHerkenning
Example AuthnResponse after end-user login with eHerkenning:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://yourDomain/saml/acs" ID="_8ecbe9dcd8c6e4765d5b6bd9cf5f2010" InResponseTo="_6dee7048f7b558987b5d9900e1b20832" IssueInstant="2023-12-11T12:35:48.235Z" Version="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://yourBrokerDomain/auth/saml</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
... XML Signature
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_03c096c04b157811ec2af48c91e4d618" IssueInstant="2023-12-11T12:35:48.263Z" Version="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer>https://yourBrokerDomain/auth/saml</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
... XML Signature
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="urn:etoegang:HM:00000003244440010000:entities:9713">k5QDBPNavooSgsxQNCITxSnQc5oo37cqev726-Iz1-Y=</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_6dee7048f7b558987b5d9900e1b20832" NotOnOrAfter="2023-12-11T12:37:48.263Z" Recipient="https://yourDomain/saml/acs"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2023-12-11T12:35:43.263Z" NotOnOrAfter="2023-12-11T12:37:48.263Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://yourDomain/saml</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AttributeStatement>
<saml2:Attribute Name="name">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Gerarda Josephina Kierkegaard</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="firstName">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Gerarda Josephina</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="lastName">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Kierkegaard</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="email">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">email@example.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="pseudo">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">03659FB1FAE5D26DB2D28866C1A4FE7F4E1CD5E62DD2552EE3D3B11D4C27163D@9162F54B3B07284AC4E147A849DEAEE4</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="kvkNr">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">24444001</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="rsin">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">819935177</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="serviceID">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">urn:etoegang:DV:00000003244440010000:services:9121</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="serviceUUID">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">cf1c1457-cc97-4b47-a324-25d1a97db3cb</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="intermediateKvkNr">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">24444002</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="companyName">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Signicat</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="intermediateCompanyName">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Intermediary</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AuthnStatement AuthnInstant="2023-12-11T12:35:48.264Z" SessionIndex="14779d0d-08bb-4929-95a2-499363b122f7">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority>urn:etoegang:HM:00000003244440010000:entities:9713</saml2:AuthenticatingAuthority>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>