Skip to content
Insights
Request Services
SAML Response
Cheat sheet · printable · CC BY 4.0

SAML 2.0 Response — cheat sheet

Every element in a SAML response, what it means, and what to check before trusting it.

Share

Use your browser print dialog. Single-page landscape.

askmeidentity · SAML Response · 2026-05-22

SAML 2.0 Response — cheat sheet

A printable cheat sheet decoding the structure of a SAML 2.0 Response — every element + attribute + what the SP must validate.

Response envelope

<samlp:Response>root elementID + IssueInstant + Destination + InResponseTo
<saml:Issuer>IdP EntityIDMust match SP's configured IdP
<ds:Signature>optionalSigns the Response (recommended)
<samlp:Status>status codeurn:oasis:names:tc:SAML:2.0:status:Success
<saml:Assertion>one or moreThe authentication assertion(s)

Assertion structure

<saml:Issuer>IdP EntityIDRepeated inside Assertion
<ds:Signature>recommendedSigns the Assertion (required for security)
<saml:Subject>who they areNameID + SubjectConfirmation
<saml:Conditions>when validNotBefore + NotOnOrAfter + AudienceRestriction
<saml:AuthnStatement>how they authedAuthnContextClassRef
<saml:AttributeStatement>who they areEmail, groups, custom attrs

SP must validate (every time)

  • ·Signature on Assertion (or Response) — chain to a configured IdP cert
  • ·IssueInstant within clock skew (±5 minutes typical)
  • ·Conditions/NotBefore ≤ now ≤ Conditions/NotOnOrAfter
  • ·AudienceRestriction matches SP EntityID
  • ·SubjectConfirmation/SubjectConfirmationData/Recipient matches SP ACS URL
  • ·InResponseTo matches a recently-issued AuthnRequest ID
  • ·NameID format matches the configured format
  • ·Replay: assertion ID has not been seen before (cache for at least NotOnOrAfter)

Common AuthnContextClassRef values

PasswordProtectedTransporturn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransportPassword + TLS
MultiFactorurn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContractOTP / push
X509urn:oasis:names:tc:SAML:2.0:ac:classes:X509Certificate-based
Smartcardurn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKIPIV / smartcard
Unspecifiedurn:oasis:names:tc:SAML:2.0:ac:classes:unspecifiedIdP did not specify

Common attack vectors

  • ·XML Signature Wrapping — attacker moves the signed element while keeping the signature valid
  • ·Comment injection in NameID — bypasses string-based identity matching
  • ·Assertion replay — same assertion submitted twice (mitigated by replay cache)
  • ·Audience confusion — assertion intended for one SP submitted to another
  • ·Stripped assertion — Response unsigned + Assertion unsigned
askmeidentity.com · CC BY 4.0 · Reviewed 2026-05-22
More cheat sheets

All printable references in one place.

See all cheat sheetsStandards explainers

Identity, cybersecurity, and custom software for regulated enterprises. Audit-ready operations from advisory through audit.

Americas HQ

Wilmington, DE

America/New York

India HQ

Hyderabad, TG

Asia/Kolkata

Services
  • IAM Consulting
  • IAM Technologies
  • Custom Software & AI
  • IAM Staffing
  • Request Services
  • Case Studies
Resources
  • All Resources
  • Complete Guide to IAM
  • IAM Frameworks Compared
  • IAM Certification Roadmap
  • IAM API Hub
  • IAM Explainers
  • IAM Vendor Status
  • Release Notes
  • State of Identity
  • State of PAM
  • State of IGA
  • State of CIAM
  • State of AI Agent Identity
  • IAM Salary Benchmark
  • Vendor Pricing Index
  • Year in Review 2026
  • Acquisition Tracker
  • Outage Tracker
  • Identity Incidents
  • Vulnerability Tracker
  • Cheat Sheets
  • Standards Explainers
  • Migration Playbooks
  • Audit Checklists
  • Reference Architectures
  • RFP Templates
  • IAM Anti-Patterns
  • Compliance Crosswalk
  • Market Landscape
  • Awesome IAM
  • IAM Glossary
  • Compliance Frameworks
  • Integration Guides
  • Vendor Alternatives
  • IAM by Industry
  • Salary Lookup
  • Directory
Research & media
  • IAM Compensation 2026
  • Vendor Moves Q3 2026
  • Identity Incidents Q3 2026
  • Vendor Security Posture 2026
  • Vendor Pricing 2026
  • AI Citation Tracker
  • Top 50 IAM Tools 2026
  • Podcast
  • Videos
  • Newsletter
  • Newsletter Archive
  • Embed Widgets
Free tools
  • JWT Decoder
  • JWT Signer
  • SAML Decoder
  • SAML Metadata Diff
  • OAuth Flow Visualizer
  • OIDC Debugger
  • OIDC Discovery Validator
  • PKCE Generator
  • WebAuthn Tester
  • Bearer Token Inspector
  • SCIM Validator
  • Password Entropy
  • IAM RFP Template
  • PAM Vendor Selector
  • Maturity Assessment
  • ROI Calculator
  • TCO Calculator
  • MFA Bypass Risk
  • Audit-Prep Burden
  • Quizzes
Company
  • About
  • Leadership
  • Approach
  • Why Choose Us
  • Partners
  • Press Kit
  • Press Topics
  • Global Presence
  • Locations
  • Insights
  • Now
  • Community
  • Open Roles
  • Submit Resume
  • Training
  • Contact

© 2026 askmeidentity, Inc.. Safeguard your digital frontier.

  • Privacy Policy
  • Terms of Service
  • Accessibility