naftiko: 1.0.0-alpha2 info: label: SAML 2.0 Single Sign-On description: 'SAML 2.0 Single Sign-On workflow capability implementing the complete SSO lifecycle: SP-initiated SSO via HTTP Redirect Binding and HTTP POST Binding, Assertion Consumer Service (ACS) processing, Single Logout (SLO), and metadata exchange. Designed for identity and access management engineers integrating SAML-based federation between Identity Providers and Service Providers.' tags: - Authentication - Federation - Identity Management - OASIS - SAML - Security - Single Sign-On - SSO created: '2026-05-02' modified: '2026-05-06' binds: - namespace: env keys: SAML_IDP_BASE_URL: SAML_IDP_BASE_URL capability: consumes: - type: http namespace: saml-sso baseUri: '{{SAML_IDP_BASE_URL}}' description: SAML 2.0 Identity Provider HTTP Bindings endpoints resources: - name: sso-redirect path: /saml/sso/redirect description: SAML 2.0 SSO HTTP Redirect Binding for AuthnRequest initiation operations: - name: sso-redirect-binding method: GET description: SSO HTTP Redirect Binding - Initiate SAML 2.0 SSO via HTTP Redirect inputParameters: - name: SAMLRequest in: query type: string required: true description: Deflated, base64-encoded, URL-encoded SAML AuthnRequest XML - name: RelayState in: query type: string required: false description: Opaque SP state reference (max 80 bytes) - name: SigAlg in: query type: string required: false description: Algorithm URI for signature (e.g., http://www.w3.org/2001/04/xmldsig-more#rsa-sha256) - name: Signature in: query type: string required: false description: Base64-encoded URL-encoded digital signature over SAMLRequest and RelayState outputRawFormat: xml outputParameters: - name: result type: object value: $. - name: sso-post path: /saml/sso/post description: SAML 2.0 SSO HTTP POST Binding operations: - name: sso-post-binding method: POST description: SSO HTTP POST Binding - Submit SAML AuthnRequest or receive IdP Response outputRawFormat: xml outputParameters: - name: result type: object value: $. body: type: form data: SAMLRequest: '{{tools.SAMLRequest}}' RelayState: '{{tools.RelayState}}' - name: acs path: /saml/acs description: Assertion Consumer Service (ACS) endpoint for receiving SAML Responses operations: - name: assertion-consumer-service method: POST description: Assertion Consumer Service (ACS) - Receive and process SAML Response outputRawFormat: xml outputParameters: - name: result type: object value: $. body: type: form data: SAMLResponse: '{{tools.SAMLResponse}}' RelayState: '{{tools.RelayState}}' - name: slo path: /saml/slo description: Single Logout (SLO) HTTP Redirect Binding operations: - name: slo-redirect-binding method: GET description: SLO HTTP Redirect Binding - Initiate or receive SAML Single Logout inputParameters: - name: SAMLRequest in: query type: string required: false description: LogoutRequest XML (deflated and base64-encoded) - name: SAMLResponse in: query type: string required: false description: LogoutResponse XML (deflated and base64-encoded) - name: RelayState in: query type: string required: false description: Opaque SP state reference outputRawFormat: xml outputParameters: - name: result type: object value: $. - name: metadata path: /saml/metadata description: SAML 2.0 EntityDescriptor metadata endpoint operations: - name: get-metadata method: GET description: SAML 2.0 Metadata Endpoint - Retrieve EntityDescriptor XML outputRawFormat: xml outputParameters: - name: result type: object value: $. exposes: - type: rest port: 8080 namespace: single-sign-on-api description: Unified REST API for SAML 2.0 Single Sign-On workflow implementation. resources: - path: /v1/sso/redirect name: sso-redirect description: Initiate SP-to-IdP SSO using HTTP Redirect Binding operations: - method: GET name: initiate-sso-redirect description: Initiate SAML SSO via HTTP Redirect Binding call: saml-sso.sso-redirect-binding with: SAMLRequest: rest.SAMLRequest RelayState: rest.RelayState SigAlg: rest.SigAlg Signature: rest.Signature outputParameters: - type: object mapping: $. - path: /v1/sso/post name: sso-post description: Initiate SP-to-IdP SSO using HTTP POST Binding operations: - method: POST name: initiate-sso-post description: Submit SAML AuthnRequest via HTTP POST Binding call: saml-sso.sso-post-binding with: SAMLRequest: rest.SAMLRequest RelayState: rest.RelayState outputParameters: - type: object mapping: $. - path: /v1/acs name: acs description: Assertion Consumer Service - process incoming SAML Responses from IdP operations: - method: POST name: process-saml-response description: Process SAML Response at Assertion Consumer Service call: saml-sso.assertion-consumer-service with: SAMLResponse: rest.SAMLResponse RelayState: rest.RelayState outputParameters: - type: object mapping: $. - path: /v1/slo name: slo description: Single Logout - initiate or receive SAML logout operations: - method: GET name: initiate-slo description: Initiate or process SAML Single Logout call: saml-sso.slo-redirect-binding with: SAMLRequest: rest.SAMLRequest SAMLResponse: rest.SAMLResponse RelayState: rest.RelayState outputParameters: - type: object mapping: $. - path: /v1/metadata name: metadata description: SAML EntityDescriptor metadata for federation configuration operations: - method: GET name: get-idp-metadata description: Retrieve SAML EntityDescriptor metadata from Identity Provider call: saml-sso.get-metadata outputParameters: - type: object mapping: $. - type: mcp port: 9080 namespace: single-sign-on-mcp transport: http description: MCP server for AI-assisted SAML SSO configuration and troubleshooting. tools: - name: initiate-sso-redirect description: Initiate SAML 2.0 SSO using the HTTP Redirect Binding with a deflated AuthnRequest hints: readOnly: false destructive: false idempotent: false call: saml-sso.sso-redirect-binding with: SAMLRequest: tools.SAMLRequest RelayState: tools.RelayState SigAlg: tools.SigAlg Signature: tools.Signature outputParameters: - type: object mapping: $. - name: initiate-sso-post description: Initiate SAML 2.0 SSO using the HTTP POST Binding with a base64-encoded AuthnRequest hints: readOnly: false destructive: false idempotent: false call: saml-sso.sso-post-binding with: SAMLRequest: tools.SAMLRequest RelayState: tools.RelayState outputParameters: - type: object mapping: $. - name: process-acs-response description: Process an incoming SAML Response at the Assertion Consumer Service endpoint hints: readOnly: false destructive: false idempotent: true call: saml-sso.assertion-consumer-service with: SAMLResponse: tools.SAMLResponse RelayState: tools.RelayState outputParameters: - type: object mapping: $. - name: initiate-single-logout description: Initiate SAML Single Logout via HTTP Redirect Binding hints: readOnly: false destructive: false idempotent: true call: saml-sso.slo-redirect-binding with: SAMLRequest: tools.SAMLRequest RelayState: tools.RelayState outputParameters: - type: object mapping: $. - name: get-idp-metadata description: Retrieve SAML 2.0 EntityDescriptor metadata from the Identity Provider for federation setup hints: readOnly: true openWorld: true call: saml-sso.get-metadata outputParameters: - type: object mapping: $.