{
  "description": "Example of SAML 2.0 SP-initiated SSO using HTTP Redirect Binding (Section 3.4 of saml-bindings-2.0-os)",
  "request": {
    "method": "GET",
    "url": "https://idp.example.com/saml/sso/redirect",
    "headers": {
      "Accept": "text/html,application/xhtml+xml"
    },
    "parameters": {
      "SAMLRequest": "fZFBa4NAEIV%2FyzLXXVddo2yFoC1JDi1BSe4ly0SXSdzVnbH02zeBkEJKj8%2FMe8M3...",
      "RelayState": "a1b2c3d4e5",
      "SigAlg": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
      "Signature": "Nk7MGwCMH8LRtCxY3T..."
    },
    "notes": [
      "SAMLRequest is the deflated, base64-encoded, URL-encoded AuthnRequest XML",
      "RelayState is an opaque value maintained by the SP (max 80 bytes)",
      "SigAlg and Signature are required when signing the redirect request",
      "The IdP processes the AuthnRequest and redirects back to the ACS URL with a SAMLResponse"
    ]
  },
  "response": {
    "status": 302,
    "headers": {
      "Location": "https://sp.example.com/saml/acs?SAMLResponse=...&RelayState=a1b2c3d4e5",
      "Content-Type": "text/html"
    },
    "notes": "After authenticating the user, the IdP POSTs a SAMLResponse to the SP's Assertion Consumer Service (ACS) URL"
  },
  "samlRequest": {
    "decoded": {
      "Version": "2.0",
      "ID": "_bec424fa5103428909a30ff1e31168327f79474924",
      "IssueInstant": "2026-05-02T10:00:00Z",
      "Destination": "https://idp.example.com/saml/sso/redirect",
      "AssertionConsumerServiceURL": "https://sp.example.com/saml/acs",
      "Issuer": "https://sp.example.com/metadata",
      "NameIDPolicy": {
        "Format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
        "AllowCreate": true
      }
    }
  }
}