
Table of contents
A SAML proxy is a component that handles SAML on behalf of something else. The important question is what that something else is. There are two different patterns, and they solve different problems.
The two SAML proxy patterns
Pattern 1: application-side SAML proxy
A reverse proxy sits in front of one or more applications and acts as the SAML service provider. Microsoft Entra ID, Okta, Ping, ADFS, Shibboleth, or another identity provider sends the SAML assertion to the proxy. The proxy validates the assertion, establishes a session, and forwards authenticated identity to the application through trusted headers.
This is the pattern teams use when the application cannot handle SAML itself. The application may be legacy, homegrown, vendor-managed, or header-based. It does not need to parse XML, rotate certificates, or implement SAML login flows.
Pattern 2: identity-side SAML proxy or broker
An identity-side proxy sits between identity systems. It may present a SAML IdP interface to applications while authenticating users through OIDC behind the scenes, or it may broker federation between institutions. Keycloak identity brokering and SATOSA-style federation are examples of this category.
Use this second pattern when your mismatch is between identity systems. Use the first pattern when the application is the thing that cannot speak SAML.
How an application-side SAML proxy works
- A user opens the protected application URL.
- The proxy intercepts the request before the application sees it.
- The proxy redirects the user to the identity provider with a SAML authentication request.
- The identity provider authenticates the user, applies MFA or conditional access policy, and posts a signed SAML assertion back to the proxy.
- The proxy validates the assertion signature, audience, recipient, timestamps, and other SAML conditions.
- The proxy creates an application session and forwards approved traffic with trusted identity headers.
The trust boundary matters. The application should only be reachable through the proxy, so users cannot bypass the proxy and spoof identity headers directly.
When a SAML proxy is the right tool
- Legacy and homegrown applications that have their own login pages but no native SAML support.
- Header-based applications moving away from older web access management products such as SiteMinder or Oracle Access Manager.
- Vendor applications that cannot be modified, but still need enterprise SSO and MFA.
- Many applications that would otherwise require separate SAML implementation, certificate rotation, and metadata handling.
- Mixed environments where some identity connections are SAML and others are OIDC.
When it is not the right tool
If you are building a new application on a modern framework, implementing OIDC directly in the app may be cleaner. A proxy is most valuable when you need central enforcement across apps that cannot be changed quickly.
If your problem is IdP-to-IdP federation rather than app-to-IdP integration, choose identity-broker tooling instead of an application-side proxy.
Datawiza Access Proxy as a SAML proxy and OIDC proxy
Datawiza Access Proxy is an application-side access proxy. It can act as a SAML proxy or an OIDC proxy for applications that need modern identity without a code rewrite. Datawiza validates SAML assertions or OIDC tokens from the identity provider, applies policy, maps identity attributes to the headers each application expects, and forwards only approved traffic.
This is especially useful for header-based authentication, legacy web access management replacement, and applications that need SSO and MFA without modifying source code. Datawiza can also support Kerberos/IWA upstreams through Kerberos Constrained Delegation when that is the application integration model.
Deploying on an nginx estate? Start with every real option for nginx OIDC and SAML.
FAQ
What is a SAML proxy?
A SAML proxy is a component that handles SAML for another system. In an application-side pattern, it acts as the SAML service provider for apps that cannot implement SAML themselves.
Is a SAML proxy the same as a reverse proxy?
An application-side SAML proxy is a reverse proxy with SAML service-provider behavior. It does not just route traffic; it validates identity and establishes an application session.
Can one proxy handle both SAML and OIDC?
Yes. Datawiza Access Proxy can integrate with SAML and OIDC identity providers from the same access-proxy layer, which helps mixed estates avoid separate protocol-specific stacks.
Can a SAML proxy add MFA?
Yes. In most deployments, the identity provider enforces MFA during the SAML login. Datawiza can also enforce built-in MFA at the access layer when the application is not ready to rely on an external IdP.
Does nginx support SAML?
Open-source nginx does not include a generic SAML service-provider feature. NGINX Plus has a SAML reference implementation, or you can place a SAML-capable proxy in front. See nginx OIDC and SAML authentication options.
See the SAML Proxy Pattern in Action
Need SAML SSO for apps that were never built for SAML? Datawiza Access Proxy can sit in front of legacy and header-based apps without rewriting them. Book a demo.


