Skip to content
DOCS
User Guide CLI Guide API Guide AI Guide

SAMLv2 Response Trust Provider

The SAMLv2 Response Trust Provider validates SAMLv2 responses from your identity provider (IdP), similar to OIDC flows. Enforce Access Policies regardless of which protocol your identity provider uses.

Match rules

Section titled “Match rules”

The following table describes the match rules available for the SAML Trust Providers:

Rule\ClaimDescription
Audience (aud)Identifies who the SAML response is for. It specifies the intended recipient (Service Provider), ensuring a response created for one service isn’t misused for another.

Example: https://aembit.example.com/saml/acs
Issuer (iss)Identifies who issued the SAML response. It’s the entity ID of the identity provider that you are trusting. This verifies the response came from the correct source.

Example: https://identity-provider.my-company.com
Subject (sub)Identifies who the SAML response is about. It’s the NameID value that represents the specific principal (user or service account) Aembit is to authenticate.

Example: user@my-company.com

Attestation configuration

Section titled “Attestation configuration”

The SAMLv2 Response Trust Provider validates SAML responses using your IdP’s signing certificate. Aembit retrieves the signing certificate from the IdP’s SAML metadata. You can provide this metadata via a URL or an XML file.

Configuration methodDescription
Metadata URLThe URL to your identity provider’s SAML metadata endpoint. Aembit fetches the metadata automatically and extracts the signing certificate. Use this when you want the Trust Provider to track whatever the IdP publishes at its metadata endpoint.

Example: https://identity-provider.my-company.com/saml/metadata
Metadata XMLThe raw SAML metadata XML from your identity provider. Paste the full XML content into this field. Use this when the metadata endpoint isn’t reachable from Aembit Cloud, or when you want explicit control over the metadata content.

How the SAMLv2 Response Trust Provider works

Section titled “How the SAMLv2 Response Trust Provider works”

The authentication process involves your identity provider, the user’s browser, and Aembit.

  1. A user authenticates with your SAML identity provider through their browser. The IdP generates a signed SAML response containing assertions about the user’s identity.

  2. The user’s browser presents the SAML response to Aembit as part of the MCP Authorization Server authentication flow.

  3. Aembit validates the SAML response’s signature using the signing certificate from the configured metadata (fetched from the Metadata URL or extracted from the Metadata XML). If the signature is invalid, Aembit rejects the request.

  4. If the signature is valid, Aembit validates the response’s claims. Aembit compares the audience, issuer, and subject values in the SAML response against the match rules you configured.

  5. If the signature and all claims are valid, Aembit authenticates the user and applies the relevant Access Policy: Access Policies define, enforce, and audit access between Client and Server Workloads by cryptographically verifying workload identity and contextual factors rather than relying on static secrets.Learn more. If any check fails, Aembit denies the request.