Skip to end of metadata
Go to start of metadata

This guide will show you how to verify a SAML response using the client kit for Java. The example code in this section demonstrates verification of a SAML response in a Spark web application, and the Java client kit contains similar code using regular JSP.

You may download the code in this guide from


Include the Java client kit in your project

The first step is to download the client kit for Java. The lib folder will contain the .jar-files you need, so include them into your project. The client kit also contains more example code.

Create the method which will receive the SAML response

The Verify method

Code walkthrough

  1. String assertion = request.queryParams("SAMLResponse");

    Fetch the base 64 encoded SAML response from the HttpServletRequest.

  2. configuration.setProperty("", "...");

    Set the subject distinguished name of the expected certificate used to sign the SAML response (i.e. the certificate used by Signicat to sign SAML responses). This value will differ between test and production, so make it configurable.

  3. String recipientUrl = request.url();

    A SAML response contains information about the intended recipient of it, i.e. the URL of the method which should receive it. This is a safety mechanism to make sure that you're not verifying SAML responses that were intended for another recipient/application. If this application was running on http://localhost:4567 then the request URL would be http://localhost:4567/verify. (In production you are required to use https.)

  4. SamlResponseData samlResponseData = samlFacade.readSamlResponse(assertion, new URL(recipientUrl));

    The readSamlResponse method expects the base 64 encoded SAML response and the previously constructed recipient URL. If successful, the SamlResponseData will contain a set of all the attributes in the SAML response. If unsuccessful, it will throw an exception and the exception message will tell you why.

  5. for(SamlResponseData.Attribute attribute : samlResponseData.getAttributes())

    You may iterate over the attributes in the response, or you may use SamlResponseData.getSubjectName() to retrieve information about the subject. The code you write here will depend on what id method is in use and which information you are interested in. See example SAML responses for different id providers here.

  6. response.cookie("nationalid", nationalId, 3600, true);

    Demo code. Most likely you want to map a national identity number of a person to some kind of user id in your application. You are not required nor encouraged to use the national identity number in your cookies.

  7. response.redirect("/granted");

    Authentication is complete and you may redirect the user to wherever you'd like.


Error situations

The following exceptions are not uncommonly produced when verifying the SAML response:

  1. ScResponseException – A type of exception which occurs when the SAML response indicates an invalid authentication, for example if the authentication process was cancelled or the user´s certificate expired.
  2. ScSecurityException – A type of exception related to security, i.e. expired SAML responses, incorrect recipient, problems verifying the certificate information etc.

Full example code