The SAML Response

632 views June 13, 2017 October 19, 2018 1

Receiving the SAML response

After authenticating, Signicat will redirect the user to the target using HTTP POST. In terms of HTTP, this is what the request would like like:

POST http://localhost:8080/auth/verify HTTP/1.1
Host: localhost:8080
Proxy-Connection: keep-alive
Content-Length: 9213
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: https//
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) chrome/29.0.1547.66 Safari/537.36
Content-Type: Application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate,sdch
Accept-Language: en-US,en;q=0.8
SamlResponse=PFJlc3BvbnNlIHhtbG5zPSJ1c...and so on and so on...Rpb24%2BPC)SZXNwb25zZT4%3D%0D%0A&TARGET=http%3A%2F%2Flocalhost%3A5050%2Fvalidate

Decoding the SAML response will result in the actual SAML (XML) document which contains information about the authentication. Read more about SAML 1.1 and SAML 2.0 or have a look at example SAML responses for different id providers.

Verifying the SAML response

The SAML response is a signed XML (xml-dsig) and the signature must be verified in order to ensure the correctness of the assertion. Signicat provides libraries that will help you verifying the SAML using Java or C#.

  1. How to verify a SAML response using Java
  2. How to verify a SAML response using C#

Retrieving attributes from the SAML response

Please have a look at the SAML response examples to see which attributes are available in the SAML responses.

Was this helpful?