The SAML Response

2125 views June 13, 2017 October 22, 2019 3

Note: SAML 1.1 will be deprecated soon. If you are working on a new integration, we strongly recommend that you use OIDC instead.

Receiving the SAML response

After authenticating, Signicat will redirect the user to the target using HTTP POST. In terms of HTTP, this is what the request would like like:

POST http://localhost:8080/auth/verify HTTP/1.1
Host: localhost:8080
Proxy-Connection: keep-alive
Content-Length: 9213
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: https//
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) chrome/29.0.1547.66 Safari/537.36
Content-Type: Application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate,sdch
Accept-Language: en-US,en;q=0.8
SamlResponse=PFJlc3BvbnNlIHhtbG5zPSJ1c...and so on and so on...Rpb24%2BPC)SZXNwb25zZT4%3D%0D%0A&TARGET=http%3A%2F%2Flocalhost%3A5050%2Fvalidate

Decoding the SAML response will result in the actual SAML (XML) document which contains information about the authentication. Read more about SAML 1.1 and SAML 2.0 or have a look at example SAML responses for different id providers.

Verifying the SAML response

The SAML response is a signed XML (xml-dsig) and the signature must be verified in order to ensure the correctness of the assertion. Signicat provides libraries that will help you verifying the SAML using Java or C#.

  1. How to verify a SAML response using Java
  2. How to verify a SAML response using C#

Retrieving attributes from the SAML response

Please have a look at the SAML response examples to see which attributes are available in the SAML responses.

Was this helpful?