SAML is complex to implement from scratch. In this lab, you will use SimpleSAMLphp to deploy both an Identity Provider (IdP) and a Service Provider (SP) on a single server, allowing you to analyze the XML assertions in real time.
First, install the required PHP dependencies and the SimpleSAMLphp library. Configure two virtual hosts: `idp.lab.local` and `sp.lab.local`.
๐ก The most critical part of this lab is metadata exchange. SSO cannot function unless both parties know each other's public keys and endpoints.
Navigate to the IdP administration panel, export the metadata XML, and import it into the SP. Then export the SP metadata and import it into the IdP.
<!-- Example Metadata Snippet -->
<EntityDescriptor entityID="https://idp.lab.local/simplesaml/saml2/idp/metadata.php">
<IDPSSODescriptor>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://idp.lab.local/simplesaml/sso" />
</IDPSSODescriptor>
</EntityDescriptor>This metadata exchange tells the SP where to send users for authentication and how to verify assertions signed by the IdP.
After authenticating at the IdP, you will be redirected back to the SP. Use your browser's developer tools to inspect the POST request containing the `SAMLResponse`.
| Step | Action | XML Element to Watch |
|---|---|---|
| Initiation | User visits SP | SAMLRequest |
| Authentication | User logs into IdP | None (Internal Process) |
| Assertion | IdP POSTs to SP | SAMLResponse / Assertion |
| Session | SP creates session cookie | Subject / NameID |
Using a proxy tool, intercept the `SAMLResponse` before it reaches the SP. Decode the response and inspect the assertion structure. Observe how signature validation protects the integrity of the message.
A properly configured Service Provider must reject assertions whose signed content has been altered. Signature validation is a critical security control in SAML.
Verify exercises to earn โ 250 XP and unlock next lab level.