Monday, June 27, 2011

Security Assertion Markup Language (SAML)


Single sign-on is a method of access control that enables a user to access multiple independent software systems with common user base. SSO provides a single action of user authorization and authentication to access systems without the need to enter login information several times.

Security Assertion Markup Language (SAML) is a product of the OASIS Security Services Technical Committee and an XML-based open standard that provides one of the solutions to implement SSO functionality. The authentication and authorization data between security domains is exchanged between an identity provider and a service provider. The SAML standard defines set of rules and syntax for the data exchange, and the flexibility for custom data to be transmitted to the external service provider.

 

SAML Structure

A SAML transaction involves three roles:

  • Asserting Party: or the identity provider is the system that provides the user information.
  • Relying Party: or the service provider is the system that trusts the asserting party and uses the provided user data to application accessibility to the end user.
  • Subject: the user information that is involved in the transaction.
The transaction between the identity provider and the service provide is called a SAML assertion. The structure of SAML assertion is in the form of XML document and contains the statements regarding subject in the form of attributes and conditions. The assertion can also contain the authorization related information that will define the application functionalities that a user can access.

 

SAML protocols

The SAML standard defines set of request and response protocols in order to communication the assertions between the service provider and the identity provider. Some of such protocols are:

• Authentication Request Protocol – defines the request assertion by the service provider related to authentication statements.

• Single Logout Protocol – defines the logout process out of all service providers using the single logout.

• Artifact Resolution Protocol – defines how the initial artifact value and then the request/response values are passed between the identity provider and the service provider.

• Name Identifier Management Protocol – defines how to add, change or delete the value of the name identifier for the service provider.

 

SAML Bindings

SAML bindings define the mapping between the SAML protocols and the network protocols that are used for communication of SAML assertions between the identity provider and service provider.

Some example bindings used are:

• HTTP Redirect Binding – uses HTTP redirect messages.
• HTTP POST Binding – defines how assertions communication using base64-encoding.
• HTTP Artifact Binding – defines how an artifact is transported using HTTP.
• SOAP HTTP Binding – uses SOAP 1.1 messaging over HTTP.

 

SAML Profiles

SAML profiles are the business use cases that defines dictate how the assertion, protocol and bindings will work together to provide SSO. Some example profiles are:

·        Web Browser SSO Profile – uses the Authentication Request Protocol, and any of the following bindings: HTTP Redirect, HTTP POST and HTTP Artifact.
·        Single Logout Profile – uses the Single Logout Protocol to logout the user from all services.
·        Artifact Resolution Profile – uses the Artifact Resolution Protocol over a SOAP HTTP binding.
·        Name Identifier Management Profile – uses the name Identifier management Protocol and can be used with HTTP Redirect, HTTP POST, HTTP Artifact or SOAP.

 

SSO using SAML

The most popular business use case for SAML federation is the web browser SSO profile, used in conjunction with the HTTP POST binding and authentication request protocol. A user requests via a user agent (generally a web browser) a web resource protected by a SAML service provider. The service provider issues an authentication request to a SAML identity provider through the user agent in order to know the identity of the requesting user.

Single Log out using SAML

 

No comments: