SAML

Components

XML - based standard for exchanging authentication and authorization data between application domains via assertions

Authentication Assertion

Responds to credential requests

Asserts the authN status, means and time

Attribute Assertion

Responds to Attribute association request

Asserts a name value pair attribute to entity relationship

Authorization Assertion

Responds to Permissions request

Asserts whether an entity has or has not been granted permissions to a give resource

Context

Definition

SAML (Security Assertion Markup Language) is an OASIS standard developed to provide an XML-based method for communciating authentication and authorization data between domains inside and organization or betwen organizations. A SAML assertion or artifcat is issued by an identity provider to a principal (most often an end user). That assertion is subsequently provided to a service provider as a proof of authentication and/or authorization so the user gains the benefit of single sign on.

XACML (Extensible Access Control Markup Language) is an OASIS standard developed to provide an XML based access policy language and model for interpreting the policies. Policies expressed in XACML can be used across policy enforcement points that support this standard.

SPML (Service Provisioning Markup Language) is an OASIS standard developed to provide and XML based language for provisioning and managing the life cycle of users, system access entitlements or privileges.

Process flow

User agent requests target resource

Service Provider responds with XHTML form

User agent request the SSO service from the identity provider

Identity provider identifies the user

Identity provider send the user agent the XHTML form

User agent Requests Assertion Service

Service provider redirects to target resource