مُفكك ردود SAML

SAML (Security Assertion Markup Language) is an XML-based open standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). The IdP authenticates the user, then issues a signed XML assertion that the SP trusts to grant access — enabling Single Sign-On across independent web applications.

A SAML Response is the outer envelope sent from the IdP to the SP and includes protocol-level metadata such as Status, Destination and InResponseTo. The SAML Assertion is the payload inside that response — it carries the actual identity claims: NameID, AuthnStatement, Conditions and AttributeStatement. A response can wrap one or more assertions.

NotBefore and NotOnOrAfter are time-window attributes inside the Conditions element that define when an assertion is valid. The SP must reject any assertion presented before NotBefore or at/after NotOnOrAfter. The window is usually only a few minutes wide to limit replay attacks, which is why clock skew between IdP and SP is a common cause of SAML failures.

AudienceRestriction names the intended Service Provider (the SP's entity ID) for the assertion. The SP must reject assertions whose Audience does not match its own configured entity ID. This binding prevents an assertion issued for one application from being replayed against another — even if both trust the same IdP.

HTTP-Redirect places the SAML message in a URL query string, so it must be DEFLATE-compressed and base64-encoded to fit. It is typically used for AuthnRequests sent from SP to IdP. HTTP-POST submits the message as a hidden form field, which has no size limit and does not require compression — it is the binding used for the SAML response back from IdP to SP.