Security Assertion Markup Language (SAML) is an open standard for securely exchanging information about identities.

Your service must use a system to send SAML messages to the Verify Hub and receive SAML responses in return. This system is known as a Service Provider.

You can either:

  • use a Service Provider built by Verify, known as the Verify Service Provider (recommended)
  • configure an off-the-shelf product to use as a Service Provider
  • build your own Service Provider

Whatever option you choose, you must run SAML compliance tests to check you can send and receive SAML messages successfully.

Verify Service Provider

Refer to the documentation on GitHub to find out how to download, configure and use the Verify Service Provider.

You can use the Verify Service Provider to:

  • generate a SAML (AuthnRequest) request to send to the Verify Hub
  • translate the SAML response from the Verify Hub into JSON

You must host the Verify Service Provider on your own infrastructure. You can connect multiple services to one instance.

To use the Verify Service Provider, you need to have:

Use or build a different Service Provider

If you choose to configure an off-the-shelf product or build your own Service Provider, you should contact Verify before starting any development work.

You must:

This means you must:

  • consume Verify Hub signing certificates directly from the Verify Hub metadata
  • consume MSA signing certificates metadata from your Matching Service Adapter (MSA) metadata, or support multiple MSA signing certificates directly in your service
  • support multiple encryption keys for your service

You must also follow:

The SAML profile used by GOV.UK Verify builds on the OASIS documentation for the SAML 2.0 standard.