惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fortinet All Blogs
S
Secure Thoughts
月光博客
月光博客
美团技术团队
雷峰网
雷峰网
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
N
News and Events Feed by Topic
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Forbes - Security
Forbes - Security
W
WeLiveSecurity
P
Proofpoint News Feed
阮一峰的网络日志
阮一峰的网络日志
爱范儿
爱范儿
G
GRAHAM CLULEY
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AI
AI
Last Week in AI
Last Week in AI
Google Online Security Blog
Google Online Security Blog
Schneier on Security
Schneier on Security
云风的 BLOG
云风的 BLOG
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Recent Announcements
Recent Announcements
Webroot Blog
Webroot Blog
T
Tor Project blog
Cisco Talos Blog
Cisco Talos Blog
N
News and Events Feed by Topic
罗磊的独立博客
The Register - Security
The Register - Security
Blog — PlanetScale
Blog — PlanetScale
T
Threat Research - Cisco Blogs
博客园 - 【当耐特】
Apple Machine Learning Research
Apple Machine Learning Research
人人都是产品经理
人人都是产品经理
T
The Exploit Database - CXSecurity.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
B
Blog
腾讯CDC
Microsoft Azure Blog
Microsoft Azure Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
H
Hacker News: Front Page
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Engineering at Meta
Engineering at Meta
Latest news
Latest news
IT之家
IT之家
D
DataBreaches.Net
博客园 - 司徒正美
N
Netflix TechBlog - Medium
V
V2EX
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知

Duende Software Official Site

Duende Software Duende Software Duende Software Duende Software Duende Software Duende Software Stop AI Bots from Wasting Your Server How Duende IdentityServer Filters Claims (And Why It Matters) Core vs Extended Protocols in Duende IdentityServer v8: What You Get and When You Need More Your IdentityServer v8 Upgrade Checklist: A Quick Pre-Flight Guide Setting Up SAML Single Sign-On in ASP.NET with Duende IdentityServer Your Identity, Your Terms: Duende's Modular Identity Infrastructure and v8.x Release Duende Spring Launch '26: Identity Infrastructure That Expands With You SAML and OpenID Connect (OIDC): Coexistence, Not Competition The Cost of NOT Implementing Financial-Grade Security Token Issuer Isolation: Why It Matters for Security and Compliance The Composable Identity Pattern: Build What You Need, Skip What You Don't Multi-Brand Identity: When Your Company Needs More Than One Face Post-Quantum Cryptography in .NET 10: A Practical Guide The field Keyword in C# 14: Write Less, Validate More The Real Cost of Build vs. Buy for Identity OAuth 2.1 Made Simple: The Only Flows You Need Beyond localhost: Multi-Instance ASP.NET Core Deployment with .NET 10 Harden Your .NET JSON Deserialization with System.Text.Json and JsonSerializerOptions.Strict ASP.NET Core Cookie Size Limits in Production: Causes and Fixes The Emergency Stop Button - Implementing Immediate Token Revocation in .NET 10 The 2025 OWASP Top 10 and IdentityServer Update Guidance for CVE-2026-40372 - ASP.NET Data Protection Why a Standard JWT Access Token Matters The Identity Governance Checklist You Wish You Had Six Months Ago The History and Future of SAML: Why a 20-Year-Old Protocol Still Matters The Cookie Apocalypse Already Happened Verify - Open Source Sponsorship Why Identity Is Infrastructure, Not a Feature Extending Duende IdentityServer Server-Side Sessions with Dynamic User Metadata Give Your AI Coding Assistant Duende Expertise with Agent Skills and MCP Server Triggering User Registration via OpenID Connect with Duende IdentityServer Improving .NET Security Code with C# 14 Property Extensions Developing Audit Logs with Duende IdentityServer Events Patch Releases: Addressing CVE-2026-26127 in Microsoft.BCL.Memory Client-Initiated Backchannel Authentication (CIBA) in ASP.NET Core 10 with Duende Identity Server Rate Limiting IdentityServer Endpoints It's Probably DNS - Can You Dig It? Security Lingo Explained: Encode vs Encrypt vs Hash Implementing Zero Trust with Resource Isolation Security Lingo Explained: JWT DPoP Security for .NET APIs with JwtBearer Extensions v1.0.0 Announcing the Duende IdentityServer4 Migration Analysis Tool BenchmarkDotNet - Open Source Sponsorship Security Lingo Explained: PAR Why Signing Key Rotation Matters in OpenID Connect and Duende IdentityServer Security Lingo Explained: OP Duende Year-End Review 2025 Security Lingo Explained: BCP Security Lingo Explained: DPoP Security Lingo Explained: Auth Secure frontend apps with the BFF Pattern Scaling with Duende IdentityServer, MCP, and AI Duende IdentityServer v7.4 is now available Duende BFFv4 is now available Securing OpenAPI and Swagger UI with OAuth in .NET 10 Building a Federation Gateway with Duende IdentityServer: Strategies and Considerations for Identity Orchestration
The 9 Components of SAML You Need to Know, Ranked by Importance
Khalid Abuhakmeh · 2026-05-26 · via Duende Software Official Site

SAML 2.0 has been an OASIS standard since 2005, and it still underpins federated single sign-on across enterprise, government, healthcare, and education. The specification is large, but the components that matter in practice are finite. Here are the nine you need to understand, ordered from most to least critical.

Assertion

The assertion is the most important artifact in SAML. It's an XML document that carries claims about a user from one party to another. Everything else in the protocol exists to create, transport, or validate assertions.

An assertion contains an Authentication Statement declaring that the user was authenticated, when, and how (password, MFA, certificate). It contains an Attribute Statement that carries user properties such as email, roles, group memberships, and department. And it contains Conditions that constrain where and when the assertion is valid: NotBefore and NotOnOrAfter set a time window (typically minutes), and AudienceRestriction limits which recipients can accept it.

The Identity Provider (IdP) signs the assertion. The Service Provider (SP) validates the signature before trusting anything inside. If you understand one thing about SAML, understand assertions.

Identity Provider (IdP)

The Identity Provider is the system that authenticates users and issues assertions. It's the authority, the entity that knows who you are and can prove it to others.

When a user needs to access a protected application, they log in to the IdP. Username and password, multi-factor authentication, smart cards: the authentication mechanism is the IdP's concern. After successful authentication, the IdP constructs a signed assertion and delivers it to the requesting application.

Think of the IdP as a passport office. It verifies your identity and issues a credential that other parties can trust.

Service Provider (SP)

The Service Provider is the application the user wants to access. It protects resources and relies on the IdP to authenticate users rather than managing credentials itself.

When an unauthenticated user arrives, the SP redirects them to the IdP with an AuthnRequest. After the IdP responds with an assertion, the SP validates the signature, checks the conditions, extracts identity and attributes, and establishes a local session. The SP never sees the user's password. It trusts the IdP because the two parties have established a federation agreement backed by exchanged metadata and certificates.

If the IdP is the passport office, the SP is the border checkpoint. It doesn't issue passports, but it knows how to read one.

Metadata

Metadata is an XML document that each party publishes describing its SAML capabilities: endpoints, supported bindings, and the certificates used for signing and encryption. Instead of manually exchanging configuration details, partners import each other's metadata to establish trust programmatically.

Metadata eliminates an entire class of misconfiguration errors. It's what makes federation scalable. Networks like InCommon (1,000+ organizations) and eduGAIN (10,000+ providers) would be impossible without machine-readable metadata. Non-negotiable for production.

Bindings

Bindings define how SAML messages physically travel between parties. The two most common are HTTP Redirect (the message is encoded into the URL query string) and HTTP POST (the message is submitted via a browser form). A third option, HTTP Artifact, sends a short reference token through the browser and resolves the full assertion over a back-channel SOAP call.

Your binding choice affects payload size limits, security properties, and user experience. HTTP Redirect has URL length constraints, making it unsuitable for large assertions. HTTP POST handles larger payloads. Artifact binding adds a back-channel verification step favored in high-security government environments.

Profiles

Profiles are the recipes that combine assertions, protocols, and bindings into specific use cases. They're the interoperability contracts that ensure your implementation works with everyone else's.

The Web Browser SSO Profile is the most important. It defines the exact sequence of redirects, requests, assertions, and validations for browser-based single sign-on. The Single Logout Profile coordinates logout across all SPs in a federation. The Enhanced Client or Proxy (ECP) Profile handles non-browser clients. Without following a profile, you can produce syntactically valid SAML that won't interoperate with anything.

Name Identifiers (NameID)

The NameID is how the IdP identifies the user within an assertion. SAML defines several formats: persistent (a stable, opaque identifier unique to each IdP-SP pair, good for privacy), transient (session-scoped, zero linkability between sessions), and emailAddress (human-readable but exposes the user's email).

The format matters more than developers expect. Persistent identifiers let the SP maintain a stable account mapping without knowing the user's real identity at the IdP. Transient identifiers are useful for anonymous access. Mismatched NameID expectations between IdP and SP are a common source of SSO failures.

RelayState

RelayState is an opaque parameter included in the AuthnRequest by the SP that survives the entire SSO round trip. It tells the SP where to redirect the user after authentication succeeds.

Without RelayState, users always land on the application's home page after SSO, rather than on the deep link they originally requested. It's a small mechanism — just a parameter bouncing through the redirect — but it's the difference between a frustrating experience and a seamless one. Every production SAML implementation uses it.

Single Logout (SLO)

Single Logout coordinates session termination across an entire federation. When a user logs out of one SP, the IdP sends LogoutRequests to every other SP where that user has an active session and collects responses.

SLO ranks last not because it's unimportant, but because it's complex and often deferred. A reliable SLO requires the IdP to track every active session across all SPs, and partial failures (one SP is down, another times out) create ambiguous states. Many deployments launch with local-only logout and add SLO later when compliance or security policy demands coordinated session termination.

In practice, SLO's biggest challenge is partial failure. If one SP in the federation is temporarily unreachable, does the logout succeed or fail? Browser-dependent front-channel logout introduces additional fragility: cookie settings, network interruptions, pop-up blockers, and timeout variance all affect reliability. Back-channel logout (sending server-to-server notifications) mitigates some of these issues but requires each SP to expose a logout endpoint. Most mature deployments implement back-channel logout as the primary mechanism and treat front-channel logout as a best-effort supplement.

Wrapping Up

These nine components cover the surface area that matters. Assertions carry the data. IdP and SP are the parties. Metadata establishes trust. Bindings handle transport. Profiles enforce interoperability. NameID, RelayState, and SLO handle the details that distinguish a proof of concept from a production deployment.

SAML's fundamentals haven't changed since 2005, and they won't need to. That's the mark of a well-designed standard.