SAML 2.0

SP‑initiated SSO in 7 steps

1. User browses to SP → SP creates AuthnRequest.
2. SP redirects to IdP SSO service with AuthnRequest (Redirect or POST binding).
3. IdP authenticates user.
4. IdP issues SAMLResponse with signed Assertion.
5. Browser POSTs SAMLResponse to SP ACS.
6. SP validates signature, audience, conditions, and extracts attributes.
7. SP establishes session and redirects to app.

Local demo

Run node demos/node/server.js then open http://localhost:3000/saml/sp. This demo generates a (unsigned) SAMLResponse to illustrate flow and decoding on the ACS.

Note: For production, enforce XML signature validation and certificate pinning. See README.