SAML IdP Extra Validation Checks

This document describes various ways to expand the validation checks made on incoming SAML AuthnRequests. Full support requires PAS 4.7 or higher.


The "strictValidation" authenticator configuration parameter present in most SAML authenticators will add several extra validation steps on the AuthnRequest including

  • IssueInstant time check (old requests are rejected, clock skew window can be adjusted via SAML IDP config parameter "clock_skew_minutes")
  • Request compliance with IdP metadata (AuthnRequest destination attribute should equal IdP SSO Location)
  • Request compliance with SP metadata (AssertionConsumerServices should match, bindings should match)
  • Signature compliance (if SP says in its metadata that requests will be signed, they must be signed, same with if IdP requires signed requests)


PAS 4.7 and higher supports validation of PrincipalSelection  in SAML. If an AuthnRequest contains a PrincipalSelection element, and the "resolveSAMLRequestProperties" parameter is set to "true" at some point in the authenticator flow, the PrincipalSelection can be validated against the authenticated principal in the AssertionProvider valve. This validation check is activated via the "comparePrincipal" configuration parameter for AssertionProvider:

    "id" : "268953c5-bae2-41fc-bbfe-2db2fb58eaed",
    "name" : "AssertionProvider",
    "enabled" : "true",
    "config" : {
      "targetEntityID" : "myentityid",
      "nameIDAttribute" : "uid",
      "additionalAttributes" : "urn:oid:1.2.752.29.4.13",
      "comparePrincipal" : "true"
    "created" : "2023-06-19T12:49:04.563Z"
Click to copy

What this will do, is if PrincipalSelection is present in the AuthnRequest, its matchValues will be compared to the additionalAttributes (or the nameIDAttribute) and require an attribute to match. E.g. if a PrincipalSelection with the value 

  <psc:PrincipalSelection xmlns:psc="">
    <psc:MatchValue Name="urn:oid:1.2.752.29.4.13">197309069289</psc:MatchValue>

 is present in the AuthnRequest, the AssertionProvider will throw an error unless the attribute  "urn:oid:1.2.752.29.4.13" is present in additionalAttributes (or the nameIDAttribute), and has the value 197309069289 . PrincipalSelection can have a number of MatchValues, and only one need to match with the authenticated principal. 

Other validation checks

Since PAS 4.7, AssertionProviders that use LoA4 indicated by the AuthnContextClassRef value which is configured in the authMetod parameter for the AssertionProvider will now validate that the requesting SP can handle the SAML holder-of-key profile (urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser).