ใ‚†ใ‚‹ใƒ†ใƒƒใ‚ฏใƒŽใƒผใƒˆ

Basics of SAML Signatures and Attributes

This document covers not only the basic mechanism of SAML, but also practical knowledge useful for real-world implementation and operation.

๐Ÿ” SAML Signatures and Attributes

SAML Responses are digitally signed using XML Signatures to ensure integrity and verify the identity of the issuing IdP.

Structure of the Signature

  • ๐Ÿ“Œ Signatures are located inside the element
  • ๐Ÿ“Œ The signature may cover the Assertion or the entire Response
  • ๐Ÿ“Œ Signatures use X.509 certificates

Things to Watch When Verifying

  • โš ๏ธ Time skew may cause NotBefore/NotOnOrAfter validation failures
  • โš ๏ธ Check certificate validity and expiration
  • โš ๏ธ Ensure the EntityID matches the expected value on the SP side

๐Ÿ“„ Handling of Attributes

SAML Responses can include user attributes such as email or role information.

Common Attributes

  • โœ… email: used for login ID or notifications
  • โœ… givenName / surname: used for display name
  • โœ… groups / roles: used for access control

Attribute Mapping

  • ๐Ÿงฉ Attributes must be mapped to internal user fields on the SP side
  • ๐Ÿงฉ Attribute names and namespaces vary by IdP (e.g., AzureAD, Okta)
  • ๐Ÿงฉ If required attributes are missing, login may fail

โฑ๏ธ Conditions, Validity, and Errors

SAML Assertions contain conditions and expiration timestamps which must be validated by the SP.

Assertion Conditions

  • ๐Ÿ“Ž NotBefore: invalid before this timestamp
  • ๐Ÿ“Ž NotOnOrAfter: invalid after this timestamp (token expiration)
  • ๐Ÿ“Ž Audience: must match the allowed SP EntityID

Common Errors

  • ๐Ÿงฏ Signature verification error (certificate mismatch or incorrect scope)
  • ๐Ÿงฏ XML parsing error (Deflate or Base64 decoding failure)
  • ๐Ÿงฏ Condition mismatch error (time drift, audience mismatch)

โš™๏ธ Differences and Compatibility Between SP and IdP

Differences by IdP

  • ๐Ÿ”ง AzureAD uses URL-style EntityIDs and has automatic certificate rotation
  • ๐Ÿ”ง Google Workspace uses a unique namespace and requires attribute adjustments
  • ๐Ÿ”ง Okta and Keycloak support advanced SAML features but have many configuration items

SP Configuration Tips

  • ๐Ÿ› ๏ธ Accurately specify accepted EntityID and ACS (Assertion Consumer Service) URL
  • ๐Ÿ› ๏ธ Check whether metadata import is supported
  • ๐Ÿ› ๏ธ Enable and enforce SAML Response signature verification
< What is SAML? Extended SAML Guide >