The Security
Assertion Markup Language (SAML) specification defines formats and protocols that enable
applications to exchange XML-formatted information for authentication and authorization.
Apigee API Services enables you to authenticate and authorize apps that are capable of
presenting SAML tokens. A SAML token is a digitally signed fragment of XML that presents a set of
"assertions". These assertions can be used to enforce authentication and authorization.
To use SAML terminology, API Services can function as a service provider (SP) or an Identity
Provider (IDP). When API Services validates SAML tokens on inbound requests from apps, it acts in
the role of SP. (API Services can also act in the IDP role, when generating SAML tokens to be used
when communicating with backend services. See
Last-mile security).
The SAML policy type enables API proxies to validate SAML assertions that are attached to
inbound SOAP requests. The SAML policy validates incoming messages that contain a
digitally-signed SAML assertion, rejects them if they are invalid, and sets variables that allow
additional policies, or the backend services itself, to further validate the information in the
assertion.
To validate SAML tokens, you need to make digital certificates available to the SAML policy by
creating at least one TrustStore. TrustStores are scoped to environments in your organizations.
Thus, you can configure different trust chains in test and prod, ensuring that test SAML tokens
cannot be used in prod, and vice-versa.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eApigee API Services supports the authentication and authorization of apps using SAML tokens, which are digitally signed XML fragments containing assertions.\u003c/p\u003e\n"],["\u003cp\u003eApigee can function as either a service provider (SP) to validate SAML tokens from apps or as an Identity Provider (IDP) to generate SAML tokens for backend services.\u003c/p\u003e\n"],["\u003cp\u003eThe SAML policy in Apigee allows API proxies to validate SAML assertions within inbound SOAP requests, rejecting invalid ones and enabling further validation.\u003c/p\u003e\n"],["\u003cp\u003eValidating SAML tokens in Apigee requires the use of TrustStores, which are environment-specific collections of digital certificates for managing trust chains.\u003c/p\u003e\n"]]],[],null,["# Using SAML policies in an API proxy\n\n*This page\napplies to **Apigee** and **Apigee hybrid**.*\n\n\n*View [Apigee Edge](https://docs.apigee.com/api-platform/get-started/what-apigee-edge) documentation.*\n\nSecurity Assertion Markup Language (SAML)\n-----------------------------------------\n\nThe [Security\nAssertion Markup Language (SAML)](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) specification defines formats and protocols that enable\napplications to exchange XML-formatted information for authentication and authorization.\n\nApigee API Services enables you to authenticate and authorize apps that are capable of\npresenting SAML tokens. A SAML token is a digitally signed fragment of XML that presents a set of\n\"assertions\". These assertions can be used to enforce authentication and authorization.\n\nTo use SAML terminology, API Services can function as a service provider (SP) or an Identity\nProvider (IDP). When API Services validates SAML tokens on inbound requests from apps, it acts in\nthe role of SP. (API Services can also act in the IDP role, when generating SAML tokens to be used\nwhen communicating with backend services. See\n[Last-mile security](/apigee/docs/api-platform/security/last-mile-security)).\n\nThe SAML policy type enables API proxies to validate SAML assertions that are attached to\ninbound SOAP requests. The SAML policy validates incoming messages that contain a\ndigitally-signed SAML assertion, rejects them if they are invalid, and sets variables that allow\nadditional policies, or the backend services itself, to further validate the information in the\nassertion.\n\nTo validate SAML tokens, you need to make digital certificates available to the SAML policy by\ncreating at least one TrustStore. TrustStores are scoped to environments in your organizations.\nThus, you can configure different trust chains in test and prod, ensuring that test SAML tokens\ncannot be used in prod, and vice-versa.\n\nFor details on SAML validation, see\n[SAML Assertion\npolicies](/apigee/docs/api-platform/reference/policies/saml-assertion-policy)."]]
