Extended SAML Guide
This guide dives into more advanced SAML topics such as Single Logout (SLO), encrypted assertions, and metadata structure that are important for real-world implementation.
๐ Single Logout (SAML SLO)
SAML SLO allows users to sign out of all connected services from either the IdP or SP, depending on how the flow is triggered.
SLO Flow
- โก๏ธ User clicks logout from SP or IdP.
- โก๏ธ A SAML LogoutRequest is sent to the other party.
- โก๏ธ The other party returns a LogoutResponse.
- โก๏ธ If multiple SPs are involved, LogoutRequests may cascade to each.
Implementation Considerations
- โ ๏ธ Deleting session cookies alone may not complete logout.
- โ ๏ธ Plan carefully which side (IdP or SP) initiates the SLO.
- โ ๏ธ Not all IdPs support multi-SP logout flows.
๐ Encrypted Assertion
Assertions can be encrypted to protect attribute values in transit between IdP and SP.
Why Encrypt?
- โ Protects user attributes from being exposed during transit.
- โ Helps prevent replay attacks or data leakage.
- โ Useful in B2B integrations requiring privacy guarantees.
Requirements for Decryption
- ๐ The SP must hold a private key to decrypt.
- ๐ The IdP must have access to the SPโs public key to encrypt.
- ๐ Check if your SP library supports EncryptedAssertion.
๐ Metadata Structure
SAML metadata is an XML file that defines information about IdPs and SPs, including certificates and endpoints.
Key Elements
- ๐ EntityDescriptor: Top-level element representing the IdP or SP.
- ๐ KeyDescriptor: Includes signing and encryption certificates.
- ๐ SingleSignOnService: URL for IdP login requests.
- ๐ AssertionConsumerService: Where the SP receives the SAMLResponse.
Best Practices
- ๐ Expired certificates can cause validation failures.
- ๐ Make sure endpoint URLs are correct (no typos, correct protocol).
- ๐ Custom metadata should follow SAML schemas strictly.