SAML SP Tester — Mock Service Provider

1

IDP Metadata

Paste IDP Metadata XML (or upload below)

2

SP Configuration

SP Entity ID *

ACS URL * (auto-populated)

NameID Format

AuthnRequests Signed ?

When checked, this SP will cryptographically sign outgoing AuthnRequests using the key pair configured below. The IDP verifies the signature using the SP certificate published in the SP metadata.

Some IDPs require signed requests — this will be flagged automatically when you parse an IDP metadata that has WantAuthnRequestsSigned="true".

Want Assertions Signed ?

Adds WantAssertionsSigned="true" to the SP metadata. This signals to the IDP that the SP prefers signed assertions, but it is advisory — the IDP decides whether to honour it.

Enabling this does not cause the SP to reject unsigned assertions unless you implement that check separately.

?

Creates a temporary server-side session (30-min TTL) that holds the IDP metadata and SP settings. This session ID is used in Steps 3–5 to generate consistent metadata, requests, and to look up the IDP certificate when the ACS endpoint receives a response.

3

SP Metadata

Register this SP metadata with your IDP. The ACS URL in the metadata must be reachable from the IDP server.

4

Generate AuthnRequest

ForceAuthn ?

Sets ForceAuthn="true" in the AuthnRequest. Instructs the IDP to force the user to re-authenticate, even if an active SSO session already exists.

Useful for testing fresh authentication flows or step-up scenarios.

IsPassive ?

Sets IsPassive="true" in the AuthnRequest. Tells the IDP it must not show any UI (login screens, prompts). If the user is not already authenticated, the IDP returns an error response instead.

Useful for silent authentication checks / single sign-out detection.

AuthnRequest XML — edit freely for negative tests (e.g. remove or tamper with the signature)

5

Send Request to IDP

Binding

RelayState (optional)

Test SAML (Mock SP)