Security Assertion Markup Language: Difference between revisions

'''<span lang="TH" dir="ltr">Security</span> Assertion Markup Language''' ('''SAML''', pronounced ''SAM-el'', {{IPAc-en|ˈ|s|æ|m|əl}})<ref name="ISnTY">{{cite web|url=http://www.webopedia.com/TERM/S/SAML.html |title=What is SAML? - A Word Definition From the Webopedia Computer Dictionary |date=25 June 2002 |publisher=Webopedia.com |access-date=2013-09-21}}</ref> is an [[open standard]] for exchanging [[authentication]] and [[authorization]] data between parties, in particular, between an [[identity provider (SAML)|identity provider]] and a [[service provider (SAML)|service provider]]. SAML is an [[XML]]-based [[markup language]] for security assertions (statements that service providers use to make access-control decisions). SAML is also:

An important use case that SAML addresses is [[web browser|web-browser]] [[single sign-on]] (SSO). Single sign-on is relatively easy to accomplish within a [[security ___domain]] (using [[HTTP cookie|cookies]], for example) but extending SSO across security domains is more difficult and resulted in the proliferation of non-interoperable proprietary technologies. The SAML Web Browser SSO profile was specified and standardized to promote interoperability.<ref name="SAMLProf20">J.&nbsp;Hughes et al. ''Profiles for the OASIS Security Assertion Markup Language (SAML)&nbsp;2.0.'' OASIS Standard, March 2005. Document identifier: saml-profiles-2.0-os http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf (for the latest working draft of this specification with errata, see: https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf)</ref> In practice, SAML SSO is most commonly used for authentication into cloud-based business software.<ref>{{Cite web |title=SAML: A technical primer |url=https://ssoready.com/docs/saml/saml-technical-primer |access-date=2024-12-14 |website=SSOReady Docs |language=en}}</ref>

Before delivering the subject-based assertion from IdPIdentity Provider to the SPService Provider, the IdPIdentity Provider may request some information from the principal—suchprincipal (such as a user name and password—inpassword) in order to authenticate the principal. SAML specifies the content of the assertion that is passed from the IdPIdentity Provider to the SPService Provider. In SAML, one identityIdentity providerProvider may provide SAML assertions to many serviceService providersProviders. Similarly, one Service Provider (SP) may rely on and trust assertions from many independent IdPsIdentity Providers (IdP).<ref>{{Citationcite web needed|last1=Guevara |first1=Holly |title=How SAML Authentication Works |url=https://auth0.com/blog/how-saml-authentication-works/ |website=auth0.com |publisher=auth0 |access-date=September19 April 20232025}}</ref>

SAML does not specify the method of authentication at the identity provider. The IdP may use a username and password, or some other form of authentication, including [[multi-factor authentication]]. A directory service such as [[RADIUS]], [[Lightweight Directory Access Protocol|LDAP]], or [[Active Directory]] that allows users to log in with a user name and password is a typical source of authentication tokens at an identity provider.<ref name="92xv0">{{cite web|url=http://www.informationweek.com/software/information-management/saml-the-secret-to-centralized-identity-management/d/d-id/1028656? | title=SAML: The Secret to Centralized Identity Management |publisher=InformationWeek.com |date=2004-11-23 |access-date=2014-05-23}}</ref> The popular Internet social networking services also provide identity services that in theory could be used to support SAML exchanges.