The security binding subtype for specifying the use of a SAML assertion as a message security token. The SAML token is expected to be presented to a service in a WS-Security header according to the bindingUsage specified. This security binding may be included in a security description only on the server side.

Only one instance of this binding may be present in a security description. This security binding is not supported with the WS_NAMEDPIPE_CHANNEL_BINDING.

For a federated security scenario that involves getting a security token from an issuer and then presenting it to a service, one may use WsRequestSecurityToken together with the WS_XML_TOKEN_MESSAGE_SECURITY_BINDING on the client side, and this binding on the server side.

The extent of validation performed on the received SAML depends on the authenticator specified. If additional validation is required, the application may get the received SAML assertion using WsGetMessageProperty with the key WS_MESSAGE_PROPERTY_SAML_ASSERTION and do further processing.

With this security binding, no security binding properties may be specified:


  WS_SECURITY_BINDING       binding;
  WS_SAML_AUTHENTICATOR*    authenticator;



The base type from which this security binding subtype and all other security binding subtypes derive.


How the security token corresponding to this security binding should be bound to a message.

Only WS_SUPPORTING_MESSAGE_SECURITY_USAGE is supported. With this usage, this security binding provides client authentication, but not message protection (such as signing, encryption, replay detection). Thus, this binding must be used together with another security binding such as the WS_SSL_TRANSPORT_SECURITY_BINDING that provides a protected channel.

To use this binding on HTTP without SSL, the security description property WS_SECURITY_PROPERTY_TRANSPORT_PROTECTION_LEVEL must be explicitly set to WS_PROTECTION_LEVEL_NONE. This is not supported on the client or on TCP.


The authenticator for validating incoming SAML tokens. This field is required.


Minimum supported client

Windows 7 [desktop apps only]

Minimum supported server

Windows Server 2008 R2 [desktop apps only]