Built by Stytch

Modernize your SAML SSO security.

Secure your stack from SAML vulnerabilities and assertion exploits with SAML Shield. Open source, protocol-aware, and production-ready.

Get Started

Keep your existing SAML stack.

Compatible with any language or system.

Zero changes to your IdP.

Built by Stytch

Modernize your SAML SSO security.

Secure your stack from SAML vulnerabilities and assertion exploits with SAML Shield. Open source, protocol-aware, and production-ready.

Get Started

Keep your existing SAML stack.

Compatible with any language or system.

Zero changes to your IdP.

Drop-in protection that works for any stack.

Embed SAML Shield directly.

Validate assertions before they hit your application’s code with open source and Stytch-managed options.

Or protect your stack via proxy.

Stay protected from the latest CVEs without relying on SaaS providers making timely updates.

PySAML2
JAN 2020
CVE-2020-5390
Signature wrapping exploit
ruby-saml
SEPTEMBER 2024
CVE-2024-45409
Signature wrapping exploit

Protect against SAML exploits at the source.

SAML's permissive specification and XML-based design make it vulnerable to a range of attacks.

XML signature wrapping

Replay attacks

Entity injection

Unsigned assertions

PySAML2
JAN 2020
CVE-2020-5390
Signature wrapping exploit
ruby-saml
SEPTEMBER 2024
CVE-2024-45409
Signature wrapping exploit

Block assertions in real time.

Stop attacks before they reach your app.

SAML Shield sits as a protocol-aware security layer on top of your SAML stack.

Validates all incoming assertions in real time and stops malicious ones before they hit application code.

Centralized logging and backtesting support coming soon!

How it works

Cross-stack protection.

Multiple CVEs, one fix.

Stop chasing patches against the same exploit that resurfaces across ecosystems.

Blocks known protocol-level exploits across Python, Ruby, Node.js, and more.

Hardened rulesets evolve with new CVEs so you don’t have to.

Security coverage

Security with a simple API call.

Compatible with any language or system.

Easy-to-implement without any code rewrites to your identity provider or existing SAML setup.

Easy to integrate into your existing stack, without rewrites.

Works with your application, edge proxies, or gateways.

Deployment options
1
const stytch = require("stytch");
2
 
3
const client = new stytch.SamlShieldClient({
4
// Retrieved from SAML Shield Dashboard
5
public_token: process.env.PUBLIC_TOKEN,
6
});
7
 
8
const params = {
9
SAMLResponse: 'base64 encoded SAML Response',
10
};
11
 
12
client.saml.validate(params)
13
.then(resp => { console.log(resp) })
14
.catch(err => { console.log(err) });

Flexible deployment,
uncompromising protection.

Open source for full control, or use our managed option for zero-maintenance security.

Open source

Free, open source Node.js library.

Drop into your existing SAML stack with no rewrites.

Inspects assertions for exploit patterns before they're processed.

View on GitHub

Managed

Integrate in any language with a simple API call.

Secure any SAML route via proxy: NGINX, Istio, and more.

Backtesting support—check if exploits were attempted as new vulnerabilities are discovered (coming soon).

Automatically receive the latest updates—no need to update dependencies and redeploy.

Try for free

Built by Stytch

The identity platform built for what's next.

Join us - we're hiring!

Visit Stytch.com

SAML Shield

Getting started

View on GitHub

Contact us

© 2025 Stytch. All rights reserved.

Terms of use

Privacy policy

Status Page