SAML Shield proactively analyzes incoming SAML responses using a hardened validation engine designed to stop protocol-level attacks before they reach your application.
SAML Shield sits between your application and the incoming SAML response, acting as a validation gate before any assertion reaches your SAML library or business logic.
When a SAML response is received (either via an SDK call, the OSS library, or at the edge through a proxy), SAML Shield performs a series of protocol-aware checks designed to catch known attack patterns and malformed input on the SAML Response and the assertion within. These checks are based on real-world CVEs, ecosystem-specific pitfalls, and emerging security trends.
Some of the core patterns validated include:
Schema and structure integrity
SAML Shield parses the XML using hardened rulesets to detect manipulations like XML Signature Wrapping (XSW) and enforce correct structure and namespace use.
Replay protection
SAML Shield enforces strict time windows to prevent replay attacks using stale tokens.
Entity injection defense (XXE)
SAML Shield sanitizes and disables external entity processing to prevent information leaks or denial-of-service attacks via the XML parser.
SAML Shield provides a proactive layer of assertion validation that complements the critical work done by existing SAML libraries and their open source maintainers. Rather than relying on fragmented, library-specific patches, it applies a consistent ruleset to block malformed or malicious assertions. As a centralized validation gate, SAML Shield offers a single fix for a broad class of SAML CVEs — regardless of which language or library you use.
A SAML response is an XML document that delivers one or more SAML assertions from an identity provider (IdP) to a service provider (SP), along with other necessary protocol-related information. To understand this relationship, think of a SAML response as an envelope containing a letter. The envelope (response) holds and delivers the letter (assertion), which contains the actual information being sent.
A SAML assertion is also an XML document. It conveys authentication and authorization information between an identity provider (IdP) and a service provider (SP) within a SAML SSO authentication flow. SAML assertions typically contain statements and nested attributes about a user that an IdP must have authenticated, and other relevant details about the authentication event.
These statements contain attributes that define the user’s identity, their authentication status, the time and method of authentication, conditions that specify when and where the assertion is valid, and other relevant user-specific attributes like role or department affiliations. This way, service providers can rely on assertions to make access control decisions within their systems, without directly authenticating any user.