SSO and SAML Implementation Guide: Enterprise Single Sign-On

SAML 2.0 is an XML-based authentication and authorization protocol. Understanding its components is required to configure it correctly and securely.

Core components:

• Identity Provider (IdP): Authenticates the user and issues SAML assertions. Examples: Okta, Microsoft Entra ID (Azure AD), Google Workspace, OneLogin, PingFederate, Keycloak
• Service Provider (SP): The application relying on the IdP for authentication. Examples: Salesforce, Workday, GitHub Enterprise, your internal apps
• SAML Assertion: An XML document issued by the IdP, signed with the IdP's private key, containing the user's identity and attributes
• Metadata: XML documents exchanged between IdP and SP describing endpoints, certificates, and capabilities

SAML 2.0 assertion structure:

<saml:Assertion>
  <saml:Issuer>https://idp.yourdomain.com</saml:Issuer>
  <ds:Signature><!-- IdP digital signature over assertion --></ds:Signature>
  <saml:Subject>
    <saml:NameID Format="emailAddress">user@yourdomain.com</saml:NameID>
    <saml:SubjectConfirmation Method="bearer">
      <saml:SubjectConfirmationData
        Recipient="https://app.example.com/saml/acs"
        NotOnOrAfter="2026-05-20T10:15:00Z"
        InResponseTo="_requestID123"/>
    </saml:SubjectConfirmation>
  </saml:Subject>
  <saml:Conditions
    NotBefore="2026-05-20T10:05:00Z"
    NotOnOrAfter="2026-05-20T10:15:00Z">
    <saml:AudienceRestriction>
      <saml:Audience>https://app.example.com</saml:Audience>
    </saml:AudienceRestriction>
  </saml:Conditions>
  <saml:AttributeStatement>
    <saml:Attribute Name="email">
      <saml:AttributeValue>user@yourdomain.com</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="groups">
      <saml:AttributeValue>engineering</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>

SP-initiated vs. IdP-initiated flow:

Prefer SP-initiated flow for all applications where possible. IdP-initiated flows cannot validate the InResponseTo attribute, which is a CSRF mitigation.

SAML's most serious vulnerabilities stem from incorrect XML signature validation. These bugs have affected Okta, Duo, GitHub, and many other major platforms historically.

Critical signature validation requirements:

The SP must validate ALL of the following before trusting a SAML assertion:

1. Signature exists -- reject assertions without a signature
2. Signature is over the correct element -- the signature must cover the <Assertion> element (or the entire <Response>); a signature over only part of the XML does not protect the assertion content
3. Signature uses a trusted key -- the signing certificate must be the IdP's registered certificate; reject if the SP resolves the key from a URL in the assertion (XML Signature Remote Code Execution pattern)
4. Issuer matches -- the <Issuer> value must match the registered IdP entity ID exactly
5. Audience matches -- the <Audience> must match the SP's entity ID exactly; this prevents an assertion issued for one SP from being replayed against another
6. NotOnOrAfter is valid -- the assertion has not expired; reject assertions older than a few minutes
7. InResponseTo matches -- for SP-initiated flows, the InResponseTo must match a RequestID the SP actually sent
8. Recipient matches -- the <Recipient> in SubjectConfirmationData must be the SP's ACS URL

XML Signature Wrapping (XSW) attacks:

XSW is a class of attacks where an attacker modifies the XML document structure to make a legitimate signature appear to cover attacker-controlled content. There are 8+ documented XSW variants. All exploit the same flaw: the SP validates the signature over one XML node, then processes a different XML node.

Example XSW:

<saml:Response>
  <!-- Attacker's unsigned assertion (processed by vulnerable SP) -->
  <saml:Assertion ID="attacker_assertion">
    <saml:NameID>admin@victim.com</saml:NameID>
    ...
  </saml:Assertion>
  <!-- Legitimate signed assertion (signature validates) -->
  <saml:Assertion ID="legit_assertion">
    <ds:Signature><!-- Valid signature over this assertion --></ds:Signature>
    <saml:NameID>attacker@evil.com</saml:NameID>
    ...
  </saml:Assertion>
</saml:Response>

A vulnerable SP validates the signature on the second assertion but processes the first (unsigned) assertion, authenticating the attacker as admin@victim.com.

Defense: Use a SAML library that correctly implements XML signature validation -- do not write your own. Major libraries: python-saml (OneLogin), ruby-saml, passport-saml, spring-security-saml, and Microsoft's .NET SAML implementations. Keep them patched -- XSW vulnerabilities are periodically discovered.

SAML assertion replay:

An attacker who intercepts a SAML assertion (via network interception, log exposure, or XSS) can replay it within its validity window. Defenses: short NotOnOrAfter window (5 minutes maximum), SP-side assertion ID tracking to reject replayed IDs, HTTPS-only transmission of assertions.

The Identity Provider choice determines your SSO capabilities, integration options, and operational model.

IdP comparison for enterprise SSO:

Critical IdP configuration settings:

Session lifetime:

Step-up authentication:

Configure MFA step-up for sensitive applications -- users may have an IdP session but must re-authenticate with MFA to access high-risk apps:

• Finance/payroll applications
• Admin consoles
• Customer data systems
• Source code repositories

Okta: Policies > Authentication Policies > [App Policy] > Require additional factor Entra ID: Conditional Access > Named Locations + MFA required for specific apps

SAML attribute mapping:

Define what attributes the IdP sends in assertions. At minimum:

• email or NameID -- user identifier
• groups or roles -- group membership for authorization at the SP
• displayName -- friendly name for UI display

Avoid sending attributes the SP does not need -- principle of data minimization applies to SAML assertions.

SSO handles authentication; user provisioning is a separate concern. There are two approaches to creating user accounts in connected applications.

Just-in-Time (JIT) provisioning:

When a user authenticates via SAML for the first time, the SP creates their account based on attributes in the SAML assertion. No pre-provisioning step required.

Advantages: simple to configure; accounts are created on first login; always in sync with IdP at login time.

Disadvantages: accounts persist in the SP even when the user is removed from the IdP (they just cannot log in); groups/roles are only synced at login; deprovisioning requires manual cleanup or separate automation.

SCIM (System for Cross-domain Identity Management):

SCIM is a REST API standard (RFC 7644) for automated user lifecycle management. The IdP pushes user creates, updates, and deletes to the SP in real time.

Benefits over JIT:

• Users are deprovisioned in the SP immediately when removed from the IdP
• Group membership is synced continuously, not just at login
• Users can be provisioned before their first login (manager can pre-set up access)

SCIM 2.0 endpoints:

• POST /Users -- create user
• PUT /Users/{id} -- replace user (full update)
• PATCH /Users/{id} -- partial update (disable user, update group)
• DELETE /Users/{id} -- deprovision

Most major IdPs (Okta, Entra ID, Ping) and SaaS applications (Salesforce, Workday, Slack, GitHub) support SCIM 2.0. Use SCIM wherever the SP supports it; fall back to JIT only when SCIM is unavailable.

Deprovisioning gap with JIT-only:

The most common access control failure in SSO implementations is the deprovisioning gap: a user is terminated and removed from the IdP, but their accounts persist in every application provisioned via JIT. An attacker who compromises the terminated employee's email (during the password reset window) or a PAM tool holding the session may still access these applications. SCIM closes this gap -- IdP deletion propagates to all SCIM-connected applications within seconds.

Modern applications increasingly support OIDC instead of (or alongside) SAML. Understanding the trade-offs determines which protocol to deploy.

Protocol comparison:

Guidance:

• Use OIDC for: new applications, mobile apps, SPAs, APIs, microservices
• Use SAML for: legacy enterprise apps that only support SAML (Salesforce classic, older ERP systems), existing SAML integrations that work correctly, apps where SAML is the only supported protocol
• OIDC front-channel + SAML back-end: Many modern IdPs support OIDC-to-SAML translation -- your application speaks OIDC to the IdP, which speaks SAML to legacy SPs. This lets you modernize client-side without rearchitecting legacy SP integrations.

OIDC security considerations:

The OIDC security requirements are the same as OAuth 2.0 (covered in the OAuth/OIDC security guide):

• Enforce PKCE for all clients
• Validate ID token: iss, aud, exp, nonce
• Use state parameter to prevent CSRF
• Exact redirect_uri matching
• Short-lived access tokens + refresh token rotation

Session management is the most frequently overlooked aspect of SSO implementations.

Single Logout (SLO):

SAML Single Logout propagates a logout from one SP (or the IdP) to all connected SPs in the federation. Without SLO, logging out of one application leaves active sessions in all others -- an attacker who steals a session cookie for one app cannot pivot to others, but the user's sessions remain live and accessible to anyone with the cookie.

Implementing SLO correctly:

IdP-initiated SLO flow:
1. User clicks "Sign Out" in IdP dashboard
2. IdP sends LogoutRequest to each SP via SOAP back-channel or HTTP redirect
3. Each SP invalidates the session for this user
4. IdP sends LogoutResponse to the original SP
5. User is redirected to logout confirmation page

SP-initiated SLO: user logs out of an SP, SP sends LogoutRequest to IdP, IdP propagates to other SPs.

Most organizations do not implement SLO correctly -- they handle logout at the SP level only (invalidating the SP session) but leave the IdP session alive. The user can immediately re-authenticate without MFA.

Session timeout alignment:

SSO session lifetimes must be shorter than or equal to the IdP session lifetime. If the IdP session is 8 hours but the SP session is 24 hours, users can access the SP for 24 hours without re-authenticating with the IdP -- defeating the purpose of centralized session control.

Set SP session timeouts to trigger re-authentication with the IdP:

• Standard apps: 8 hours (align with work day)
• High-security apps: 1-2 hours with silent re-auth where possible

Session revocation for account compromise:

When an account is suspected compromised, administrators must be able to:

1. Terminate the IdP session immediately (Admin Console > Users > [User] > Revoke all sessions)
2. Propagate revocation to all connected SPs (via SCIM disable or SAML SLO)
3. Reset MFA enrollments and recovery options

Document and test this workflow before it is needed. In an active compromise, speed matters.