) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
Developers
We strongly recommend choosing OpenID Connect (OIDC) over SAML due to its modern, API-centric design and support for native mobile applications.
Getting started
SAML is an established standard, but can be a bit complex. We recommend looking for and using a SAML library for your language before developing your own.
Configuration
Here are values needed to configure your service provider (SP) to work with Login.gov:
NameID Format
The NameID is the unique identifier used to identify a user across multiple sessions. The format is the standard v4 random UUID (Universally Unique Identifier) in compliance with RFC 4122.
For example:
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
Login service URL and Binding
This is the endpoint where authentication requests are sent to Login.gov (aka Single Sign-on Service).
For example:
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.int.identitysandbox.gov/api/saml/auth2025"/>
Logout service URL and Binding
The single logout service URL is used to contact the Single logout profile (aka Single Logout Service).
For example:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.int.identitysandbox.gov/api/saml/logout2025" />
x509 Public Certificate
The public certificate is used to validate the authenticity of SAML requests received from Login.gov, a minimum of 2048 bits. We publish this public certificate from our metadata endpoint and below for verification.
Metadata
Consistent with the SAML metadata specification, Login.gov’s metadata for our sandbox environment is available at https://idp.int.identitysandbox.gov/api/saml/metadata2025.
Signing Certificates
Below you can find the X509 certificates used by the Login.gov IdP to sign SAML requests. Do not enter these certificates in the Portal when configuring an application for testing - you can follow the instructions in our testing article to generate a client certificate.
-----BEGIN CERTIFICATE-----
MIID7TCCAtWgAwIBAgIUL13CinhNFLIW8m6AsLvcPXP9TUgwDQYJKoZIhvcNAQEL
BQAwgYUxCzAJBgNVBAYTAlVTMR0wGwYDVQQIDBREaXN0cmljdCBvZiBDb2x1bWJp
YTETMBEGA1UEBwwKV2FzaGluZ3RvbjEMMAoGA1UECgwDR1NBMRIwEAYDVQQLDAlM
b2dpbi5nb3YxIDAeBgNVBAMMF2ludC5pZGVudGl0eXNhbmRib3guZ292MB4XDTI1
MDExMzIwMDAzNVoXDTI2MDQwMTIwMDAzNVowgYUxCzAJBgNVBAYTAlVTMR0wGwYD
VQQIDBREaXN0cmljdCBvZiBDb2x1bWJpYTETMBEGA1UEBwwKV2FzaGluZ3RvbjEM
MAoGA1UECgwDR1NBMRIwEAYDVQQLDAlMb2dpbi5nb3YxIDAeBgNVBAMMF2ludC5p
ZGVudGl0eXNhbmRib3guZ292MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAvDe5rImG+Al9Uq5b7OgJbce8OelJWK3HhAiDU1PdT9IiKHfsmZYZQi6vclU7
92/yVGQWUuEn4J1Inndb10LujR/8eaNlgA8QaYylh+SYJ1yfc5uUfKDP7dPkLAL4
s8EC/hX9jygyFS9w1Ur0BEAyy6vGXaINnpQICYgdzZDO91do4APyuPRxbNNvmvr1
/5PPf6/2Ch4BZBqLu4pmdYIyv8Nhl0TbAepRXY4K5ZXJdM0IkUQthzinJqypXVYh
8ePG9bUfKWHW9FRq8vpmiWO6oCi34IIeMb0taWDdSuVBvjlfHJ9RMQH+j6nrNU6e
t4vofbUc746lze5l4FzeAbxwXwIDAQABo1MwUTAdBgNVHQ4EFgQU/w7Uv8hJzTIm
FXNOhrRQq8XdlTgwHwYDVR0jBBgwFoAU/w7Uv8hJzTImFXNOhrRQq8XdlTgwDwYD
VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAivHaNV1KhennEVDSAmV3
a/WEV/ptWTCQoc06hhgLRibkkj9ryWUqagSQhlGSwe2tyOodfGwq/Kk9BQ3NS+zb
qPeq4GzxVedtwOwTu4p3SzUKWALKZI4vASPEVuBXc/z6LW8fyCZ4OFPV9FtoFAI4
SXnZv3VZzjEHtfVOVSTUKP8UIdwDQy+W7X365ZWY6625++ye9CuWEmLisOKhb9Ht
L0ZzbyyDWunTeUlDVlhyCFyGNzuTDuCEOqPXxCiwGfJE4huVmxMG8kSAeS1y0Egr
EOvHgHteQTmjxZ/Za36xmO5M67//Y+wOsgQSGgYxPEK4qRxKK2Aw+C6ViHwasfHG
ow==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIUBuxTXQhYd7UzOhO11pnNri8E5zswDQYJKoZIhvcNAQEL
BQAwdzELMAkGA1UEBhMCVVMxHTAbBgNVBAgMFERpc3RyaWN0IG9mIENvbHVtYmlh
MRMwEQYDVQQHDApXYXNoaW5ndG9uMQwwCgYDVQQKDANHU0ExEjAQBgNVBAsMCUxv
Z2luLmdvdjESMBAGA1UEAwwJbG9naW4uZ292MB4XDTI1MDExMzIwMDEzM1oXDTI2
MDQwMTIwMDEzM1owdzELMAkGA1UEBhMCVVMxHTAbBgNVBAgMFERpc3RyaWN0IG9m
IENvbHVtYmlhMRMwEQYDVQQHDApXYXNoaW5ndG9uMQwwCgYDVQQKDANHU0ExEjAQ
BgNVBAsMCUxvZ2luLmdvdjESMBAGA1UEAwwJbG9naW4uZ292MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq1mNLPlOoszuVQhW0yJKNWI7XEg776vmeaRr
zGMLmenaV2tXanozBxoehNmwC7egpSCoq5PfnzQGRhZqGAsbi1FVqLmEgOlEMgKG
HQ3oOoeNf7wmouOsjLIFu76nGIbXAknnmgveki6tfU1czpgpOwoOb6JLk6VMOaA1
x7eBVfoZlPg9jjM9KpyYVB7l8kmEzk6SUEP6LUXfcfSb97K5XTw06V/L2hyTBR2C
MCKC1iuA9O/DReVRYSkt1IZwpzW5nTGkzyboH3crjKCpHlVOCoJFcQwnxaTrFNv7
rXbnmwqsypWk9LCLQeqmlfnwlXWFGU17hBHIqvsS6Yo3y3JVBQIDAQABo1MwUTAd
BgNVHQ4EFgQUyT7sOy64K5nT+cct7JHQF0gMN4cwHwYDVR0jBBgwFoAUyT7sOy64
K5nT+cct7JHQF0gMN4cwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEALfe6JZuKCQSdV75bDhHecnLmqLhhhYoHVoDhqWpA1vX7fyz20Qp0pFog+G65
RZGnaBWNxCJB4s7/E7RjVNC0RAUR3Vojd6nD8kOPHXDR4IamURTfIAaEnNFNFPGM
gR6iQEptHyjs+d0gubKUyqvKQR6WibQsgzSo6d2IsYFFAzlhQeCm3XeK31z97k9q
9mUm1AM2mlhs4qTBWnBE1xeDOuG05FS/fTLQWujprrQXbEq40jrBfVKmLSCxq2Sh
eCvbFvvY60cXYC4VSjdWHaFuIJVeNAlKugMsDxigJzlU7IgF2dI/vHtS8H6Job/Z
LfgJGSqarlSYFHq3B4IjMqigTQ==
-----END CERTIFICATE-----
Annual Certificate Rotation
The Login.gov SAML certificate is valid for just over one year. Every spring, Login.gov adds new SAML endpoints with the current year that use a new signing certificate.
/api/saml/auth2024becomes/api/saml/auth2025/api/saml/logout2024becomes/api/saml/logout2025
The certificates are issued to create an overlap period of about a month, during which all partners using SAML should migrate at their convenience to the new endpoint URLs for the current year.
The 2024 certificates for idp.int.identitysandbox.gov and secure.login.gov each expire on April 1, 2025. So the transition from 2024 to 2025 endpoints should take place in February or March 2025.
Example application
The Login.gov team has created an example client to speed up your development, all open source in the public domain: identity-saml-sinatra.
