SAML Reference

Endpoints

Live realm (`clickid`)

Endpoint	URL
IdP metadata	`https://auth.clickid.eu/realms/clickid/protocol/saml/descriptor`
SSO (HTTP-Redirect)	`https://auth.clickid.eu/realms/clickid/protocol/saml`
SSO (HTTP-POST)	`https://auth.clickid.eu/realms/clickid/protocol/saml`
SLO (HTTP-Redirect)	`https://auth.clickid.eu/realms/clickid/protocol/saml`

Sandbox realm (`clickid-sandbox`)

Endpoint	URL
IdP metadata	`https://auth.clickid.eu/realms/clickid-sandbox/protocol/saml/descriptor`
SSO (HTTP-Redirect)	`https://auth.clickid.eu/realms/clickid-sandbox/protocol/saml`
SSO (HTTP-POST)	`https://auth.clickid.eu/realms/clickid-sandbox/protocol/saml`
SLO (HTTP-Redirect)	`https://auth.clickid.eu/realms/clickid-sandbox/protocol/saml`

Always fetch metadata

Do not hardcode endpoint URLs. Fetch the IdP metadata XML and let your SAML library parse it. This ensures you pick up any future endpoint or key changes automatically.

NameID

Property	Value
Format	`urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`
Length	24 characters
Character set	URL-safe base64 (`A–Z`, `a–z`, `0–9`, `-`, `_`)
Stability	Identical across sessions for the same (user, SP) pair
Scope	Per-SP — different SPs receive different values for the same user

Example NameID value:

aB3kXmQ9nL7rPwT2vYcZ0s4u

The NameID is the only user identifier you will receive. ClickID does not issue BSN values. Store it in your application as the primary user key.

Response signing

Property	Value
What is signed	The `<samlp:Response>` element (response-level signing)
Algorithm	`http://www.w3.org/2001/04/xmldsig-more#rsa-sha256`
Digest algorithm	`http://www.w3.org/2001/04/xmlenc#sha256`
Key size	RSA 2048-bit
Certificate	Embedded in IdP metadata `<KeyDescriptor use="signing">`
Assertion signing	Not separately signed (response-level signing covers the assertion)
Assertion encryption	Not encrypted (use TLS for transport security)

Validate the signature

Always validate the SAML Response signature in your SP implementation. Never process an unsigned or invalid-signature response.

Your SAML library will do this automatically if you provide it the IdP signing certificate from the IdP metadata. Fetch the metadata and keep it up to date.

AuthnRequest requirements

ClickID accepts both signed and unsigned AuthnRequest messages.

Property	Requirement
Signing (AuthnRequest)	Optional; recommended for production
Binding	HTTP-Redirect only
`ForceAuthn`	Honoured — forces re-authentication even with active session
`IsPassive`	Honoured — returns error if no active session
`RequestedAuthnContext`	Ignored — ClickID always applies substantial assurance policy
`NameIDPolicy Format`	Must be `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` or omitted

Attributes in the assertion

The SAML assertion contains the following attribute statements in addition to the NameID:

Attribute name	Format	Value
`urn:clickid:assurance`	`urn:oasis:names:tc:SAML:2.0:attrname-format:uri`	`substantial`

The assurance level substantial indicates the user authenticated with a second factor (TOTP or passkey), equivalent to eIDAS Level of Assurance Substantial.

In the sandbox realm (where TOTP is not required), the value is low for password-only authentication.

Sample SAML AuthnRequest

This is a minimal unsigned AuthnRequest using HTTP-Redirect binding. In practice, your SAML library generates this automatically.

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest
  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="_abc123def456"
  Version="2.0"
  IssueInstant="2025-06-01T10:00:00Z"
  Destination="https://auth.clickid.eu/realms/clickid/protocol/saml"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  AssertionConsumerServiceURL="https://yourapp.example.com/saml/acs">

  <saml:Issuer>https://yourapp.example.com/saml/metadata</saml:Issuer>

  <samlp:NameIDPolicy
    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
    AllowCreate="true"/>

</samlp:AuthnRequest>

For HTTP-Redirect binding, the AuthnRequest XML is deflated (RFC 1951), base64-encoded, and URL-encoded as the SAMLRequest query parameter.

Sample SAML Response (abridged)

This is an abridged example of the Response that ClickID returns via HTTP-POST to your ACS URL.

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response
  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="_response123"
  Version="2.0"
  IssueInstant="2025-06-01T10:00:05Z"
  Destination="https://yourapp.example.com/saml/acs"
  InResponseTo="_abc123def456">

  <saml:Issuer>https://auth.clickid.eu/realms/clickid</saml:Issuer>

  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <!-- RSA-SHA256 signature over the Response element -->
    <!-- ... signature XML omitted for brevity ... -->
  </ds:Signature>

  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>

  <saml:Assertion
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="_assertion456"
    Version="2.0"
    IssueInstant="2025-06-01T10:00:05Z">

    <saml:Issuer>https://auth.clickid.eu/realms/clickid</saml:Issuer>

    <saml:Subject>
      <saml:NameID
        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
        SPNameQualifier="https://yourapp.example.com/saml/metadata">
        aB3kXmQ9nL7rPwT2vYcZ0s4u
      </saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData
          NotOnOrAfter="2025-06-01T10:05:05Z"
          Recipient="https://yourapp.example.com/saml/acs"
          InResponseTo="_abc123def456"/>
      </saml:SubjectConfirmation>
    </saml:Subject>

    <saml:Conditions
      NotBefore="2025-06-01T09:59:35Z"
      NotOnOrAfter="2025-06-01T10:05:05Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://yourapp.example.com/saml/metadata</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>

    <saml:AuthnStatement AuthnInstant="2025-06-01T10:00:05Z">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>
          urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
        </saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>

    <saml:AttributeStatement>
      <saml:Attribute
        Name="urn:clickid:assurance"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue>substantial</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>

  </saml:Assertion>
</samlp:Response>

Assertion validity window

Assertions are valid for 5 minutes (NotOnOrAfter minus IssueInstant). Your SP must validate the NotOnOrAfter condition and reject expired assertions. Most SAML libraries do this automatically.

Endpoints​

Live realm (clickid)​

Sandbox realm (clickid-sandbox)​

NameID​

Response signing​

AuthnRequest requirements​

Attributes in the assertion​

Sample SAML AuthnRequest​

Sample SAML Response (abridged)​