Skip to main content
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock ( Https ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

We strongly recommend choosing OpenID Connect (OIDC) over SAML due to its modern, API-centric design and support for native mobile applications.

Getting started

SAML is an established standard, but can be a bit complex. We recommend looking for and using a SAML library for your language before developing your own.

Configuration

Here are values needed to configure your service provider (SP) to work with Login.gov:

NameID Format

The NameID is the unique identifier used to identify a user across multiple sessions. The format is the standard v4 random UUID (Universally Unique Identifier) in compliance with RFC 4122.

For example:
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>

Login service URL and Binding

This is the endpoint where authentication requests are sent to Login.gov (aka Single Sign-on Service).

For example:
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.int.identitysandbox.gov/api/saml/auth2026"/>

Logout service URL and Binding

The single logout service URL is used to contact the Single logout profile (aka Single Logout Service).

For example:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.int.identitysandbox.gov/api/saml/logout2026" />

x509 Public Certificate

The public certificate is used to validate the authenticity of SAML requests received from Login.gov, a minimum of 2048 bits. We publish this public certificate from our metadata endpoint and below for verification.

Metadata

Consistent with the SAML metadata specification, Login.gov’s metadata for our sandbox environment is available at https://idp.int.identitysandbox.gov/api/saml/metadata2026.

Signing Certificates

Below you can find the X509 certificates used by the Login.gov IdP to sign SAML requests. Do not enter these certificates in the portal when configuring an application for testing - you can follow the instructions in our testing article to generate a client certificate.

-----BEGIN CERTIFICATE-----
MIID7TCCAtWgAwIBAgIUX8t+9CW+DR2G/Sc1+BbjfuqAG0YwDQYJKoZIhvcNAQEL
BQAwgYUxCzAJBgNVBAYTAlVTMR0wGwYDVQQIDBREaXN0cmljdCBvZiBDb2x1bWJp
YTETMBEGA1UEBwwKV2FzaGluZ3RvbjEMMAoGA1UECgwDR1NBMRIwEAYDVQQLDAlM
b2dpbi5nb3YxIDAeBgNVBAMMF2ludC5pZGVudGl0eXNhbmRib3guZ292MB4XDTI2
MDEyMDIxMTE1MFoXDTI3MDQwMTIxMTE1MFowgYUxCzAJBgNVBAYTAlVTMR0wGwYD
VQQIDBREaXN0cmljdCBvZiBDb2x1bWJpYTETMBEGA1UEBwwKV2FzaGluZ3RvbjEM
MAoGA1UECgwDR1NBMRIwEAYDVQQLDAlMb2dpbi5nb3YxIDAeBgNVBAMMF2ludC5p
ZGVudGl0eXNhbmRib3guZ292MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEArgJWFRsFAfeQ7QAsjHiJdaWs3IUm33dukopjQfC009EYCf+yyuR6fufY2+dc
4G9rjhUAybQceGvLzYHv6z4BSl97orFnVQx/825Gh+FYaiTDBVaHSmQT8Fhedcob
tS5FNy5rHXGmzSKTuyEsZUIwRpS/rnqtnyMCxDC4XjqfHaAPVehxZV8GzZwzCy4h
jp6QqHLtEpN3YuAEh6ckgN3a67UKDXqQsjG83wyHzni4TRnw8qYqHFTL0z4x8wSI
ckdPX3jd08NPRQhjkRRvo5ye2jZ42QrenBil/5xiVnG0Dn4jj9R+Bdy3UZtjIiul
F17HqSpuJzx0gGqxvFTjrJcd/wIDAQABo1MwUTAdBgNVHQ4EFgQUmcHSQgZfH9mU
dd8Nmj31YAeYqH8wHwYDVR0jBBgwFoAUmcHSQgZfH9mUdd8Nmj31YAeYqH8wDwYD
VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAFqyCJcLulCGwFVTki3/b
wzltXPgduQu87NnQQvFRELlN6zBK+pDNlUdAUMKwse1pQJSDhfdOeOwHVMd52q3N
BE+t7D35MXglQ312Ii9utrdolNMUd0oA/dN3IPVhPRIsAUxAjD2hJlmMhatSs0wd
M7SRXLOayS7EEGUark9PPGPE9WPf+EqmsIzQ35y/L/3tUNw33xHYEZxKjmb+LW/m
83RyMKbPD2KXMEq98jZHJj3El/5fAoSSzIWl2eEjqKdNNUkdzd30sLiIDfIzliFx
T0FDNixonhjjWvdDKHnr/NRT4nIpL4j6ISVRuuSno0Ap4vEAI44SOHy09MAufNH9
qA==
-----END CERTIFICATE-----


-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIUSCsQy9a/OVr/Uaa9utM+e4R2vTkwDQYJKoZIhvcNAQEL
BQAwdzELMAkGA1UEBhMCVVMxHTAbBgNVBAgMFERpc3RyaWN0IG9mIENvbHVtYmlh
MRMwEQYDVQQHDApXYXNoaW5ndG9uMQwwCgYDVQQKDANHU0ExEjAQBgNVBAsMCUxv
Z2luLmdvdjESMBAGA1UEAwwJbG9naW4uZ292MB4XDTI2MDEyMDIxMTMxMloXDTI3
MDQwMTIxMTMxMlowdzELMAkGA1UEBhMCVVMxHTAbBgNVBAgMFERpc3RyaWN0IG9m
IENvbHVtYmlhMRMwEQYDVQQHDApXYXNoaW5ndG9uMQwwCgYDVQQKDANHU0ExEjAQ
BgNVBAsMCUxvZ2luLmdvdjESMBAGA1UEAwwJbG9naW4uZ292MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx648AU2eeqjEt7holobf3I4mv6LJ2kMBOLfG
lqG6ipZ5ingq9616nbt776oQaVD5jj4acfwO8LETMZdafhQrD2u8ep1HT1bgG3dZ
6GsusMQMhWytVPiHYN/kf2aoi8JVNRye8LXrBCPeiVrnPdMoVhZxZzVu0AvJ5KTy
pBSZXj4AGSvrk7OfDAAh0B1Y1Xco1xCHpZZ8USfRYKcsvyZbtHyhcmpDxarPZpsY
2VK/RvE018355D0cUjGSX8AV3t6xK8rg2f+eGm/MiPtloiVVbrv+Jq50SPWKdaQ4
A3VOLFUUO+nmBVQs/x70DdH3/rByVmehpXgAIIQiBjV4ZX41/wIDAQABo1MwUTAd
BgNVHQ4EFgQUKSMSo3dK3JU9pZOQtzaZuON7K/owHwYDVR0jBBgwFoAUKSMSo3dK
3JU9pZOQtzaZuON7K/owDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEAefGG0V8WlXy3q2Y38AH1EIO2k9fZ5dAyCNTdhadZrsY1TqN33YEhZPbU0vRC
AYhZvf5L4JlNSpO16jpIO75Uksl17VixZCyHsvNn+wj2D3ppK5eQBz8lIvs6/9Rp
eEAOho0TuBQ0/avUnd96EwYGdk/iSJRL47LnV6W5dI5yNRdWt7dOWXeu9GSbCjfR
rHqMxNRUDUj4E60AU909E/O60QOYlnrVWAHO444+tr4fuGM47ZY/Wn81VmgMU8F7
JQ+HhZf+60WIg2V5P7ljER7h+CczI22zQUvHMWUP9fhIUwc38Mndls7xFbxkGDGt
45XdkXNGCxhc5xYIP1hwYzvYdg==
-----END CERTIFICATE-----

Annual Certificate Rotation

The Login.gov SAML certificate is valid for just over one year. Every spring, Login.gov adds new SAML endpoints with the current year that use a new signing certificate.

  • /api/saml/auth2025 becomes /api/saml/auth2026
  • /api/saml/logout2025 becomes /api/saml/logout2026

The certificates are issued to create an overlap period of about a month, during which all partners using SAML should migrate at their convenience to the new endpoint URLs for the current year.

The 2025 certificates for idp.int.identitysandbox.gov and secure.login.gov each expire on April 1, 2026. So the transition from 2025 to 2026 endpoints should take place in February or March 2026.

Example application

The Login.gov team has created an example client to speed up your development, all open source in the public domain: identity-saml-sinatra.

Next step: Authentication

Edit this page
Return to top