Which items to verify in SAMLResponse for single sigin on(SSO)?

Question

I"m going to make SSO function by SAML2.0.
And I'm searching what item to be verified in response & assertion of SAMLResponse.
But there is no clear answer and suggestion.

I just read 4.1.4.3 Message Processing Rules, but not sure which items they are. https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

Thanks in advance.

Answer 1

You can use the SAML Response with Signed Assertion here to see what's in a typical one.

If you want someone to login to your app using SAML, your app first has to satisfy itself that the user is who they claim to be. It does that by verifying the SignedInfo on the Response. It uses the public key of the IdP to do that. Your app is the SP and should know how to find the public key of the Idp, from its SAML metadata. You can use the Issuer to get the IdP's entityID. Then, in AudienceRestriction, make sure the Response is intended for your app.

Once the basic verification passes, you can use the AttributeStatement to create an account for the user. The Attributes you need for that are in there.

So it's essentially a two part process. In the first part, you make sure the Response is valid, comes from the expected IdP and is intended for your app.

The second part is using the Attributes to manage an account for the user in your app.

There are various refinements such as NotBefore and NotOnOrAfter for Attribute values but those are the basic steps.