SAML 2.0 Overview

1. What is SAML?

Security Assertion Markup Language (SAML) 2.0 is an XML-based standard for exchanging authentication and authorization data between parties.

2. Key Components

Component	Description
Identity Provider (IdP)	Authenticates users and issues SAML assertions. Example: Keycloak, Azure AD, Okta.
Service Provider (SP)	Consumes SAML assertions to grant access. Example: Cisco ISE, web applications.
Assertion	XML document containing authentication statements, signed by the IdP.
Metadata	XML document describing IdP/SP endpoints, certificates, and capabilities.

Component

Description

Identity Provider (IdP)

Authenticates users and issues SAML assertions. Example: Keycloak, Azure AD, Okta.

Service Provider (SP)

Consumes SAML assertions to grant access. Example: Cisco ISE, web applications.

Assertion

XML document containing authentication statements, signed by the IdP.

Metadata

XML document describing IdP/SP endpoints, certificates, and capabilities.

3. Authentication Flow

4. SAML Assertion Structure

A SAML assertion contains:

<saml:Assertion>
  <saml:Issuer>https://keycloak.example.com/realms/myrealm</saml:Issuer>

  <saml:Subject>
    <saml:NameID>username</saml:NameID>
  </saml:Subject>

  <saml:Conditions NotBefore="..." NotOnOrAfter="...">
    <saml:AudienceRestriction>
      <saml:Audience>http://CiscoISE/uuid</saml:Audience>
    </saml:AudienceRestriction>
  </saml:Conditions>

  <saml:AuthnStatement>
    <!-- Authentication context -->
  </saml:AuthnStatement>

  <saml:AttributeStatement>
    <saml:Attribute Name="groups">
      <saml:AttributeValue>admin-group</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="email">
      <saml:AttributeValue>user@example.com</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>

5. Key Concepts

5.1. Entity ID

A unique identifier for each SAML participant. Can be a URL or URN.

IdP Entity ID example:

https://keycloak-01.inside.domusdigitalis.dev:8443/realms/domusdigitalis

SP Entity ID example (Cisco ISE):

http://CiscoISE/a486c6ef-6c77-4bc1-bf6d-4e479b3aeae8

Cisco ISE uses a non-standard Entity ID format (CiscoISE/<UUID>;), not the ISE FQDN. Always export ISE SP metadata to get the correct Entity ID.

5.2. Assertion Consumer Service (ACS)

The SP endpoint that receives SAML assertions from the IdP.

ISE ACS URL:

https://ise-01.inside.domusdigitalis.dev:8443/portal/SSOLoginResponse.action

5.3. Metadata

XML documents describing SAML endpoints and certificates:

IdP Metadata URL (Keycloak):

https://keycloak-01.inside.domusdigitalis.dev:8443/realms/domusdigitalis/protocol/saml/descriptor

5.4. Bindings

How SAML messages are transmitted:

Binding	Usage
HTTP-Redirect	AuthnRequest (SP → IdP)
HTTP-POST	Response/Assertion (IdP → SP)

Binding

Usage

HTTP-Redirect

AuthnRequest (SP → IdP)

HTTP-POST

Response/Assertion (IdP → SP)

6. Security Considerations

6.1. Signature Validation

IdP signs assertions with private key
SP validates using IdP’s public key (from metadata)
Prevents assertion forgery

6.2. Time Skew

Assertions have NotBefore and NotOnOrAfter timestamps
SP must reject expired assertions
Clock synchronization (NTP) is critical

6.3. Audience Restriction

Assertions are scoped to specific SP Entity IDs
Prevents assertion replay to other SPs

7. SAML vs OIDC

Aspect	SAML 2.0	OpenID Connect
Format	XML	JSON/JWT
Transport	HTTP-Redirect, HTTP-POST	HTTP-Redirect, JSON APIs
Use Case	Enterprise SSO	Modern web/mobile apps
Complexity	Higher	Lower
Token Size	Larger (XML)	Smaller (JWT)

Aspect

SAML 2.0

OpenID Connect

Format

XML

JSON/JWT

Transport

HTTP-Redirect, HTTP-POST

HTTP-Redirect, JSON APIs

Use Case

Enterprise SSO

Modern web/mobile apps

Complexity

Higher

Lower

Token Size

Larger (XML)

Smaller (JWT)

When to use SAML: * Legacy enterprise applications (Cisco ISE) * Applications that only support SAML

When to use OIDC: * Modern applications (Gitea, custom apps) * Mobile applications * API access

8. Related

Keycloak SAML Client Configuration