HAProxy Enterprise Documentation 2.2r1

SAML Component Overview

This section provides an overview of HAProxy Enterprise SAML module.

About SAML 2.0

The XML-based Security Assertion Markup Language (SAML) 2.0 open-standard transfers identity data (assertions) between an Identity Provider (IdP) and a Service Provider (SP).

Identity Provider

Performs authentication on the Service Provider's behalf.

Service Provider

Authorizes users to access the requested resource once they are authenticated by a trusted Identity Provider.

About HAProxy Enterprise SAML module

HAProxy Enterprise SAML module acts as a SAML Service Provider. It provides SP-initiated cross-domain web single-sign-on (SSO) to any web application located behind an HAProxy Enterprise server. You thus don't have to implement SAML directly in your application.

In an SP-initiated SSO flow, the Service Provider creates an Authentication Request (AuthnRequest) and redirects the user to the Identity Provider.

HAProxy Enterprise SAML module checks user credentials against an Identity Provider such as Azure Active Directory, either on-premises or in the cloud.


HAProxy Enterprise SAML module then grants or denies access to web applications based on SAML assertions sent by the Identity Provider.


  • Implement SSO seamlessly, even for legacy web applications

  • Configure logging and grant access using HAProxy Enterprise ACL capabilities

  • Check SAML assertions or attributes with XPath (via the saml.ini file)

  • Retrieve SAML assertions and use them as HAProxy Enterprise variables. For example, you can then:

    • Enhance logs

    • Pass user information to the application via HTTP headers


HAProxy Enterprise SAML module uses the Stream Processing Offload Engine to expand the functionalities of HAProxy Enterprise. It communicates with HAProxy Enterprise using the Stream Processing Offload Protocol.


  1. A user visits a web application that has HAProxy Enterprise in front of it.

  2. HAProxy Enterprise redirects the user's browser to the SAML Identity Provider via HAProxy Enterprise SAML module.

  3. The user signs on, and the Identity Provider validates credentials. Then the IdP redirects the user back to HAProxy Enterprise SAML module.

  4. HAProxy Enterprise SAML module relays the user's browser to the web application. An HTTP cookie ensures that the user will not need to log in again during their session.

Next up

Debugging SAML