This article is an attempt to provide that road map, so others can understand and appreciate SAML.
Note: This article pertains to SAML 2.0 and not SAML 1.x.
From the OASIS SAML Technical Overview Document:
“The OASIS Security Assertion Markup Language (SAML) standard defines an XML-based framework for describing and exchanging security information between on-line business partners.”
While this description makes sense to those already familiar with SAML, it may be incomprehensible to everyone else. To help everyone else, I’m going to provide a simplified, high-level overview. Then, once some of the basics have been established, I will provide a resource from the OASIS site that describes the technical details of the SAML standard.
The SAML standard can be broken down into several components, some of which are listed below.
- SAML Assertions
- SAML Protocols
- SAML Bindings
- SAML Profiles
SAML Profiles are a collection of SAML components organized into use cases suited to solve a business problem or need. Examples of major profiles or use cases defined within the SAML Standard are listed below.
- Web Browser Single Sign-On Profile (Web Browser SSO)
- Single Logout Profile
- Web Services Security (WS-Security) and SAML
The Single Logout Profile provides a mechanism to simultaneously log a user out of all sites participating in a particular single sign-on experience.
The combination of WS-Security and SAML is actually an extension of SAML and not directly defined as a profile. However, this use case is a valuable way to use SAML as a security token for authentication and authorization of a principle interacting with a system through SOAP web services.
SAML Assertions consist of XML data that contains authentication, authorization, or additional attributes about a principal (a user, application, or other subject wishing to access a resource). SAML assertions are often provided by an identity provider or authentication service to a service provider. The service provider can understand the Assertions and trusts the identity provider due to agreements made between the organizations that own or operate the services.
An example assertion is shown below. Discussion of the structure of a SAML Assertion will be addressed by a resource provided later in this article.
SAML Protocols define mechanisms for communicating SAML Assertions between identity providers, principals, and service providers. The standard provides a detailed set of request and response strategies to suit a variety of business and technical requirements.
SAML 2.0 includes the following protocols:
- Assertion Query and Request Protocol
- Authentication Request Protocol
- Artifact Resolution Protocol
- Name Identifier Management Protocol
- Single Logout Protocol
- Name Identifier Mapping Protocol
SAML Protocol Authentication Request:
SAML Protocol Authentication Response:
SAML Bindings determine how SAML messages are encapsulated within other protocols such as HTTP or SOAP. SAML 2.0 describes the following bindings:
- SAML SOAP Binding
- Reverse SOAP (PAOS) Binding
- HTTP Redirect (GET) Binding
- HTTP POST Binding
- HTTP Artifact Binding
- SAML URI Binding
Now that a basic understanding of SAML has been established, I suggest reading the Security Assertion Markup Language (SAML) V2.0 Technical Overview. This document is written by OASIS and summarizes the SAML standard in a way that is easy to understand.
What About Security?
There are many security considerations that must be analyzed before the implementation of a product leveraging SAML takes place. Often authentication or authorization information is allowed to pass through untrusted users or may be intercepted by attackers. The Security and Privacy Considerations for the OASIS
If I was asked to summarize the mitigation strategies described in this document, I would provide the following recommendations:
- Use TLS/SSL 3.0 with strong ciphers and verifiable certificates (usually for just the server, but sometimes needed for the client as well).
- If the application must ensure data integrity remains intact, use XML Signature to ensure it is not manipulated while in transit.
- If confidential, sensitive, or private data passes through the client use XML Encryption to ensure it is not disclosed to unauthorized parties.