SAML2.0 in a Nutshell

SAML

SAML XML-based framework for marshaling security and identity information and exchanging it across domain boundaries.

SAML’s Core : asseertions about subjects

Assertions contain statements : authentication, attribute, entitlement or roll-your-own

SAML Use Cases

  1. SSO
  2. Identity Federation
  3. Attribute Services
  4. Single logout
  5. Securing Web Services messages

Terms and concepts :

  • Entity : An active element of a computer/network system
  • Principal : An entity whose identity can be authenticated
  • Subject : A principal in the context of a security domain
  • Identity : One’s characteristics, traits and preferences
  • Identifier : A data object that uniquely refers to a particular entity
  • Federated Identity : Existence of an agreement between providers on a set of identifiers to use to refer to a principal
  • Asserting Party (SAML Authority) : An entity that produces SAML assertions
  • Identity Provider: An entity that creates, maintains, and manages identity info for principals and provides principal authentication to other service providers.
  • Relying Party : An entity that decides to take an action based on information from another system entity.
  • Service Provider : An entity that provides services to principals or other entities.

SAML Assertions :

An assertion is a declaration of fact, according to someone. SAML assertions contain one or more statements about a subject :

  • Authentication statement : “Joe authenticated with a password at 9.00 am”
  • Attribute statement : “Joe is manager with a $500 spending limit”

<Assertion>
<Issuer/>
<Signature/>
<Subject/>
<Conditions/>
<AttributeStatement/>
<AuthnStatement/>
</Assertion>

SAML

Protocols :

  1. Assertion request
  2. Authentication request
  3. Artifact resolution
  4. Name identifier management
  5. Name identifier mapping
  6. Single logout

Artifacts :

  • A small fixed size structured data object pointing to a typically larger, variably sized SAML protocol message.
  • Designed to be embedded in URLs and conveyed in HTTP messages
  • Allows for “pulling” SAML messages rather than having to push them
  • SAML defines one artifact format but you can roll your own

Bindings

  1. SOAP : Basic way for IdPs and SPs to send SAML protocol messages
  2. Reverse SOAP
  3. HTTP redirect : Method to send SAML message by means of HTTP 302
  4. HTTP POST : Method to send SAML message in base64-encoded HTML form control
  5. HTTP Artifact : way to transport an artifact using HTTP in 2 ways :URL query string and HTML form control
  6. URI : How to retrieve a SAML message by resolving a URI

Profiles

  1. Web Browser SSO
  2. Enhanced client and proxy
  3. IdP discovery
  4. Single Logout
  5. Name identifier management
  6. Artifact resolution
  7. Assertion request