SAML 2.0
Status: Scaffold — content in progress
Security Assertion Markup Language 2.0 (SAML 2.0) is an XML-based federated identity protocol used for SSO between an Identity Provider (IdP) and Service Providers (SPs).
Roles
| Role | Description | Example |
|---|---|---|
| Identity Provider (IdP) | Authenticates the user and issues assertions | Entra ID, Okta, ADFS |
| Service Provider (SP) | Trusts the IdP, grants access based on assertion | Salesforce, AWS Console |
SP-Initiated vs IdP-Initiated Flow
SP-Initiated (most common):
- User accesses SP → redirect to IdP → authenticate → assertion returned → access granted
IdP-Initiated:
- User starts at IdP → chooses SP → assertion sent directly → access granted IdP-initiated has weaker security (no SP-generated request ID to validate)
SAML Assertion
An assertion is an XML document signed by the IdP:
<saml:Assertion>
<saml:Issuer>https://idp.corp.com/</saml:Issuer>
<saml:Subject>
<saml:NameID>jsmith@corp.com</saml:NameID>
</saml:Subject>
<saml:AttributeStatement>
<saml:Attribute Name="Role">
<saml:AttributeValue>Admin</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
Golden SAML
If an attacker obtains the IdP's SAML signing key, they can forge assertions for any user in any SP that trusts the IdP — without any authentication.
This is the cloud equivalent of a Golden Ticket.
Real-world example: The SolarWinds/SUNBURST campaign included Golden SAML to access Office 365 environments. [Assessed — reported by Microsoft, CrowdStrike, and Mandiant, corroborated across multiple reports]
Cross-Links
| Topic | Link |
|---|---|
| Golden SAML Attack | golden-saml |
| Entra Overview | entra-overview |