SAML
SAML 2.0 SSO HTTP Bindings API

API specification for SAML 2.0 Single Sign-On HTTP bindings including the HTTP Redirect Binding and HTTP POST Binding for AuthnRequest and Response exchange, Assertion Consumer Service, Single Logout, and metadata retrieval as defined in the OASIS SAML 2.0 Bindings specification (saml-bindings-2.0-os).
Documentation GitHub OpenAPI
OpenAPI Specification

openapi: 3.0.3
info:
  title: SAML 2.0 SSO HTTP Bindings
  description: >-
    OpenAPI specification for SAML 2.0 Single Sign-On HTTP bindings as defined
    in the OASIS SAML 2.0 Bindings specification (saml-bindings-2.0-os). Covers
    the HTTP Redirect Binding and HTTP POST Binding used for AuthnRequest and
    Response message exchange between Service Providers and Identity Providers.
  version: 1.0.0
  contact:
    name: Kin Lane
    email: [email protected]
  license:
    name: Apache 2.0
    url: https://www.apache.org/licenses/LICENSE-2.0
servers:
  - url: https://idp.example.com
    description: SAML 2.0 Identity Provider
  - url: https://sp.example.com
    description: SAML 2.0 Service Provider
tags:
  - name: SSO
    description: SAML 2.0 Single Sign-On operations.
  - name: SLO
    description: SAML 2.0 Single Logout operations.
  - name: Metadata
    description: SAML 2.0 metadata retrieval.
paths:
  /saml/sso/redirect:
    get:
      operationId: ssoRedirectBinding
      summary: SSO HTTP Redirect Binding
      description: >-
        Initiates SAML 2.0 Single Sign-On using the HTTP Redirect Binding
        (Section 3.4 of saml-bindings-2.0-os). The AuthnRequest is encoded,
        deflated, and base64-encoded as a query parameter. The Identity Provider
        processes the request and responds with an authentication challenge or
        redirects back to the Service Provider with a SAML Response.
      tags:
        - SSO
      parameters:
        - name: SAMLRequest
          in: query
          required: true
          description: >-
            The deflated, base64-encoded, and URL-encoded SAML AuthnRequest XML
            message. The message MUST be deflated using the DEFLATE compression
            method (RFC 1951) before base64 encoding.
          schema:
            type: string
        - name: RelayState
          in: query
          required: false
          description: >-
            An opaque reference to state information maintained at the Service
            Provider. The value MUST NOT exceed 80 bytes in length and MUST be
            integrity-protected by the entity creating it.
          schema:
            type: string
            maxLength: 80
        - name: SigAlg
          in: query
          required: false
          description: >-
            The URI identifying the signature algorithm used to sign the
            request. Required when the request is signed.
          schema:
            type: string
            format: uri
            enum:
              - http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
              - http://www.w3.org/2000/09/xmldsig#rsa-sha1
              - http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256
        - name: Signature
          in: query
          required: false
          description: >-
            The base64-encoded and URL-encoded signature value computed over the
            SAMLRequest, RelayState (if present), and SigAlg query string
            parameters.
          schema:
            type: string
      responses:
        "302":
          description: >-
            Redirect to the Identity Provider login page or back to the Service
            Provider with a SAML Response via the HTTP Redirect Binding.
          headers:
            Location:
              description: Redirect URI with SAML response parameters.
              schema:
                type: string
                format: uri
        "400":
          description: Malformed SAML request or invalid encoding.
          content:
            application/xml:
              schema:
                type: string
                description: SAML error status response.
        "403":
          description: Request signature validation failed.
  /saml/sso/post:
    post:
      operationId: ssoPostBinding
      summary: SSO HTTP POST Binding
      description: >-
        Processes a SAML 2.0 AuthnRequest or Response using the HTTP POST
        Binding (Section 3.5 of saml-bindings-2.0-os). The SAML message is
        base64-encoded and submitted as a form parameter. This binding is
        typically used for the SAML Response from the Identity Provider to the
        Service Provider Assertion Consumer Service (ACS) URL.
      tags:
        - SSO
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: "#/components/schemas/SAMLPostRequest"
            examples:
              AuthnRequest:
                summary: SP-initiated AuthnRequest via POST
                value:
                  SAMLRequest: PHNhbWxwOkF1dGhuUmVxdWVzdC4uLg==
                  RelayState: https://sp.example.com/resource
              Response:
                summary: IdP Response via POST to ACS
                value:
                  SAMLResponse: PHNhbWxwOlJlc3BvbnNlLi4uPg==
                  RelayState: https://sp.example.com/resource
      responses:
        "200":
          description: >-
            SAML Response processed successfully. Returns an HTML page with
            auto-submitting form for browser-based POST binding or confirms
            successful assertion processing.
          content:
            text/html:
              schema:
                type: string
                description: >-
                  HTML document with auto-submitting form containing the SAML
                  Response for the POST binding relay.
        "400":
          description: Invalid or malformed SAML message.
          content:
            application/xml:
              schema:
                type: string
                description: SAML error status response.
        "403":
          description: SAML assertion validation failed or signature invalid.
  /saml/acs:
    post:
      operationId: assertionConsumerService
      summary: Assertion Consumer Service (ACS)
      description: >-
        The Assertion Consumer Service endpoint at the Service Provider receives
        and processes SAML Responses from the Identity Provider via the HTTP POST
        Binding. Validates the SAML Response, extracts the authentication
        assertion, and establishes a local security context for the user.
      tags:
        - SSO
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
                - SAMLResponse
              properties:
                SAMLResponse:
                  type: string
                  description: >-
                    The base64-encoded SAML Response XML containing one or more
                    authentication assertions from the Identity Provider.
                RelayState:
                  type: string
                  description: >-
                    The RelayState value originally sent with the AuthnRequest,
                    returned unchanged by the Identity Provider.
                  maxLength: 80
      responses:
        "302":
          description: >-
            Successful assertion processing. Redirects the user to the
            originally requested resource indicated by RelayState.
          headers:
            Location:
              description: The target resource URI from the RelayState.
              schema:
                type: string
                format: uri
            Set-Cookie:
              description: Session cookie establishing the local security context.
              schema:
                type: string
        "400":
          description: Invalid SAML Response format.
        "403":
          description: >-
            Assertion validation failed due to invalid signature, expired
            conditions, audience restriction mismatch, or replay detection.
  /saml/slo/redirect:
    get:
      operationId: sloRedirectBinding
      summary: SLO HTTP Redirect Binding
      description: >-
        Initiates or processes a SAML 2.0 Single Logout request or response
        using the HTTP Redirect Binding. Terminates sessions at the Identity
        Provider and participating Service Providers.
      tags:
        - SLO
      parameters:
        - name: SAMLRequest
          in: query
          required: false
          description: >-
            The deflated, base64-encoded LogoutRequest message. Either
            SAMLRequest or SAMLResponse MUST be present.
          schema:
            type: string
        - name: SAMLResponse
          in: query
          required: false
          description: >-
            The deflated, base64-encoded LogoutResponse message. Either
            SAMLRequest or SAMLResponse MUST be present.
          schema:
            type: string
        - name: RelayState
          in: query
          required: false
          description: Opaque state information maintained between request and response.
          schema:
            type: string
            maxLength: 80
        - name: SigAlg
          in: query
          required: false
          description: URI identifying the signature algorithm.
          schema:
            type: string
            format: uri
        - name: Signature
          in: query
          required: false
          description: Base64-encoded signature over the query string parameters.
          schema:
            type: string
      responses:
        "302":
          description: Redirect to next participant in the logout chain.
          headers:
            Location:
              description: URI of the next logout endpoint or final destination.
              schema:
                type: string
                format: uri
        "400":
          description: Invalid logout request.
  /saml/metadata:
    get:
      operationId: getMetadata
      summary: SAML 2.0 Metadata Endpoint
      description: >-
        Returns the SAML 2.0 metadata document for the entity (Identity Provider
        or Service Provider) as defined in the OASIS SAML 2.0 Metadata
        specification (saml-metadata-2.0-os). The metadata document describes
        the entity's supported bindings, endpoints, certificates, and
        capabilities.
      tags:
        - Metadata
      responses:
        "200":
          description: SAML metadata document.
          content:
            application/samlmetadata+xml:
              schema:
                type: string
                description: >-
                  XML document conforming to the SAML 2.0 Metadata schema
                  containing the EntityDescriptor element.
            application/xml:
              schema:
                type: string
                description: SAML 2.0 metadata XML document.
          headers:
            Cache-Control:
              description: Caching directives for the metadata document.
              schema:
                type: string
                example: public, max-age=86400
        "404":
          description: Metadata not available for this entity.
components:
  schemas:
    SAMLPostRequest:
      type: object
      properties:
        SAMLRequest:
          type: string
          description: >-
            The base64-encoded SAML AuthnRequest XML message. Either SAMLRequest
            or SAMLResponse MUST be present.
        SAMLResponse:
          type: string
          description: >-
            The base64-encoded SAML Response XML message containing
            authentication assertions. Either SAMLRequest or SAMLResponse MUST
            be present.
        RelayState:
          type: string
          description: >-
            Opaque reference to state information at the message sender. MUST
            NOT exceed 80 bytes.
          maxLength: 80
SAML 2.0 SSO HTTP Bindings API

Documentation

Specifications

Other Resources

OpenAPI Specification
