SAML Login Demo (Real Flow)
Below is a real, clickable SAML 2.0 Web Browser SSO demo, with the Identity Provider being this site's Mock SAML IdP. After selecting a test user:
- The demo SP generates an
AuthnRequest(with uniqueID); - Browser requests Mock IdP, IdP verifies the user (in the demo, directly specifying alice / bob, skipping the user selection page) and issues a signed SAML Response;
- This page decodes base64, extracts the signed
ResponseXML; - Validates item by item:
StatusCode,InResponseTo(associated with AuthnRequest),Audience,Conditionstime window, and verifies the signature using the assertion's embedded certificate's public key (RSA-SHA256); - Reads
NameIDand attributes from the assertion.
What This Demo Shows
- Signed assertion: IdP uses private key to sign the assertion, SP uses IdP certificate to verify, ensuring the assertion is unmodified and truly from the trusted IdP.
InResponseToassociation: The returned Response associates with theIDof the originalAuthnRequest, preventing assertion misattribution or replay (analogous to OIDC'sstate).Audiencerestriction: The assertion declares it is only valid for this SP (entityID); other SPs cannot reuse it.Conditionstime window:NotBefore/NotOnOrAfterrestrict the assertion's validity period.
About Signature Verification
In real systems, SAML signature verification is performed by the SP server, requiring XML canonicalization (exc-c14n). This demo verifies the SignedInfo's RSA-SHA256 signature in the browser; complete verification also requires comparing DigestValue and certificate trust chain—this site's Mock SP console used industry library xml-crypto for authoritative server-side verification.
For the equivalent OIDC flow, see OIDC Login Demo.