SAML 2.0

SP/IdP setup, XML-DSig verification, assertion mapping.

oauth.work speaks SAML 2.0 for enterprise customers who require it. The XML-DSig verifier is implemented from scratch on WebCrypto — no node:crypto on the hot path — and is cross-checked in tests against the xml-crypto library.

Configure the connection

Point your IdP at the tenant’s ACS endpoint and exchange metadata:

SP entity ID:  https://acme.oauth.work/saml/metadata
ACS URL:       https://acme.oauth.work/saml/acs
NameID format: emailAddress

Verification, done right

Every inbound assertion is checked for the failure modes that sink naive SAML stacks:

• Signature wrapping — the signature must cover the asserted element, not a smuggled sibling.
• Tampering — canonicalization (C14N) is recomputed and the digest compared.
• Replay — NotOnOrAfter and one-time InResponseTo are enforced.

A tampered or wrapped assertion is rejected, not best-guessed.

Attribute mapping

Map IdP attributes to the user profile your app expects:

{
  "email": "urn:oid:0.9.2342.19200300.100.1.3",
  "name": "urn:oid:2.16.840.1.113730.3.1.241",
  "groups": "http://schemas.xmlsoap.org/claims/Group"
}

Groups flow into SCIM provisioning and RBAC.