Generate your SP metadata XML containing your entity ID, AssertionConsumerService URL, and your SP's signing certificate (refer to it as a PEM-encoded certificate in configuration); share this with the IdP administrator
Obtain the IdP metadata XML (or configure issuer, SSO URL, and IdP signing certificate manually) and load it into your SAML library
On a login attempt, generate an AuthnRequest, sign it with your SP private key, and redirect the user to the IdP SSO URL via HTTP-Redirect or HTTP-POST binding
Receive the SAMLResponse at your ACS URL; base64-decode and XML-parse it, then verify the XML signature against the IdP's certificate
Extract the NameID and attribute statements from the assertion; validate the Conditions element (NotBefore, NotOnOrAfter, AudienceRestriction must include your entity ID)
Implement one-time-use tracking for the InResponseTo ID to prevent replay attacks, then create or update the local user session
Known gotchas
XML signature validation must cover the Assertion element, not just the outer Response; a valid outer signature with an unsigned assertion is insufficient
Replay protection requires persisting assertion IDs for at least the duration of the assertion's NotOnOrAfter window
Attribute name formats vary by IdP (urn:oasis URNs vs friendly names); confirm the exact attribute names with the IdP administrator before hard-coding them
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp