Security Assertion Markup Language: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 07:27, 7 February 2023 edit PritongKandule (talk \| contribs) Extended confirmed users, Pending changes reviewers, Rollbackers 7,059 edits rm random text Tags: Manual revert Visual edit ← Previous edit		Latest revision as of 18:06, 19 April 2025 edit undo LeftyJohnson (talk \| contribs) 6 edits m correct citation
(31 intermediate revisions by 23 users not shown)
Line 6: * A set of profiles (utilizing all of the above) An important use case that SAML addresses is [[web browser\|web-browser]] [[single sign-on]] (SSO). Single sign-on is relatively easy to accomplish within a [[~~Security ___domain\|~~security ___domain]] (using [[HTTP cookie\|cookies]], for example) but extending SSO across security domains is more difficult and resulted in the proliferation of non-interoperable proprietary technologies. The SAML Web Browser SSO profile was specified and standardized to promote interoperability.<ref name="SAMLProf20">J. Hughes et al. ''Profiles for the OASIS Security Assertion Markup Language (SAML) 2.0.'' OASIS Standard, March 2005. Document identifier: saml-profiles-2.0-os http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf (for the latest working draft of this specification with errata, see: https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf)</ref> In practice, SAML SSO is most commonly used for authentication into cloud-based business software.<ref>{{Cite web \|title=SAML: A technical primer \|url=https://ssoready.com/docs/saml/saml-technical-primer \|access-date=2024-12-14 \|website=SSOReady Docs \|language=en}}</ref> == Overview == Line 14: At the heart of the SAML assertion is a subject (a principal within the context of a particular security ___domain) about which something is being asserted. The subject is usually (but not necessarily) a human. As in the SAML 2.0 Technical Overview,<ref name="SAMLTechOverview20">N. Ragouzis et al. ''Security Assertion Markup Language (SAML) 2.0 Technical Overview.'' OASIS Committee Draft 02, March 2008. Document identifier: sstc-saml-tech-overview-2.0-cd-02 https://wiki.oasis-open.org/security/Saml2TechOverview</ref> the terms subject and principal are used interchangeably in this document. Before delivering the subject-based assertion from ~~IdP~~Identity Provider to the SPService Provider, the ~~IdP~~Identity Provider may request some information from the ~~principal—such~~principal (such as a user name and ~~password—in~~password) in order to authenticate the principal. SAML specifies the content of the assertion that is passed from the ~~IdP~~Identity Provider to the SPService Provider. In SAML, one ~~identity~~Identity ~~provider~~Provider may provide SAML assertions to many ~~service~~Service ~~providers~~Providers. Similarly, one Service Provider (SP) may rely on and trust assertions from many independent ~~IdPs~~Identity Providers (IdP).<ref>{{cite web \|last1=Guevara \|first1=Holly \|title=How SAML Authentication Works \|url=https://auth0.com/blog/how-saml-authentication-works/ \|website=auth0.com \|publisher=auth0 \|access-date=19 April 2025}}</ref> SAML does not specify the method of authentication at the identity provider. The IdP may use a username and password, or some other form of authentication, including [[multi-factor authentication]]. A directory service such as [[RADIUS]], [[Lightweight Directory Access Protocol\|LDAP]], or [[Active Directory]] that allows users to log in with a user name and password is a typical source of authentication tokens at an identity provider.<ref name="92xv0">{{cite web\|url=http://www.informationweek.com/software/information-management/saml-the-secret-to-centralized-identity-management/d/d-id/1028656? \| title=SAML: The Secret to Centralized Identity Management \|publisher=InformationWeek.com \|date=2004-11-23 \|access-date=2014-05-23}}</ref> The popular Internet social networking services also provide identity services that in theory could be used to support SAML exchanges. == History == Line 104: # Authorization decision query The result of an attribute query is a SAML response containing an assertion, which itself contains an attribute statement. See the SAML 2.0 topic for [[SAML 2.0#SAML ~~Attribute~~attribute ~~Query~~query\|an example of attribute query/response]]. Beyond queries, SAML 1.1 specifies no other protocols. Line 125: SAML 1.1 specifies just one binding, the SAML SOAP Binding. In addition to SOAP, implicit in SAML 1.1 Web Browser SSO are the precursors of the HTTP POST Binding, the HTTP Redirect Binding, and the HTTP Artifact Binding. These are not defined explicitly, however, and are only used in conjunction with SAML 1.1 Web Browser SSO. The notion of binding is not fully developed until SAML 2.0. SAML 2.0 completely separates the binding concept from the underlying profile. In fact, there is a brand [[SAML 2.0#SAML 2.0 ~~Bindings~~bindings\|new binding specification in SAML 2.0]] that defines the following standalone bindings: * SAML SOAP Binding (based on SOAP 1.1) * Reverse SOAP (PAOS) Binding Line 172: {{clear}} ; 1. Request the target resource at the SP (SAML 2.0 only): The principal (via an ~~HTTP~~HTTPs user agent) requests a target resource at the service provider: <pre><nowiki>https://sp.example.com/myresource</nowiki></pre> The service provider performs a security check on behalf of the target resource. If a valid security context at the service provider already exists, skip steps 2–7. ; 2. Redirect to the SSO Service at the IdP (SAML 2.0 only):The service provider determines the user's preferred identity provider (by unspecified means) and redirects the user agent to the SSO Service at the identity provider: <pre><nowiki>https://idp.example.org/SAML2/SSO/Redirect?SAMLRequest=request</nowiki></pre> The value of the <code>SAMLRequest</code> parameter (denoted by the placeholder <code>request</code> above) is the [[Base64]] encoding of a [[DEFLATE\|deflated]] <code><samlp:AuthnRequest></code> element. ; 3. Request the SSO Service at the IdP (SAML 2.0 only): The user agent issues a GET request to the SSO service at the URL from step 2. The SSO service processes the <code>AuthnRequest</code> (sent via the <code>SAMLRequest</code> URL query parameter) and performs a security check. If the user does not have a valid security context, the identity provider identifies the user (details omitted). ; 4. Respond with an XHTML form: The SSO service validates the request and responds with a document containing an XHTML form: <syntaxhighlight lang="~~html4strict~~html"> <form method="post" action="https://sp.example.com/SAML2/SSO/POST" ...> <input type="hidden" name="SAMLResponse" value="response" /> Line 196: == See also == * [[SAML 2.0]] * [[SAML metadata]] * [[SAML-based products and services]]