Security Assertion Markup Language: Difference between revisions

An important use case that SAML addresses is [[web browser|web-browser]] [[single sign-on]] (SSO). Single sign-on is relatively easy to accomplish within a [[security ___domain]] (using [[HTTP cookie|cookies]], for example) but extending SSO across security domains is more difficult and resulted in the proliferation of non-interoperable proprietary technologies. The SAML Web Browser SSO profile was specified and standardized to promote interoperability.<ref name="SAMLProf20">J.&nbsp;Hughes et al. ''Profiles for the OASIS Security Assertion Markup Language (SAML)&nbsp;2.0.'' OASIS Standard, March 2005. Document identifier: saml-profiles-2.0-os http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf (for the latest working draft of this specification with errata, see: https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf)</ref> In practice, SAML SSO is most commonly used for authentication into cloud-based business software.<ref>{{Cite web |title=SAML: A technical primer |url=https://ssoready.com/docs/saml/saml-technical-primer |access-date=2024-12-14 |website=SSOReady Docs |language=en}}</ref>

Before delivering the subject-based assertion from IdPIdentity Provider to the SPService Provider, the IdPIdentity Provider may request some information from the principal—suchprincipal (such as a user name and password—inpassword) in order to authenticate the principal. SAML specifies the content of the assertion that is passed from the IdPIdentity Provider to the SPService Provider. In SAML, one identityIdentity providerProvider may provide SAML assertions to many serviceService providersProviders. Similarly, one Service Provider (SP) may rely on and trust assertions from many independent IdPsIdentity Providers (IdP).<ref>{{Citationcite web needed|last1=Guevara |first1=Holly |title=How SAML Authentication Works |url=https://auth0.com/blog/how-saml-authentication-works/ |website=auth0.com |publisher=auth0 |access-date=September19 April 20232025}}</ref>

SAML does not specify the method of authentication at the identity provider. The IdP may use a username and password, or some other form of authentication, including [[multi-factor authentication]]. A directory service such as [[RADIUS]], [[Lightweight Directory Access Protocol|LDAP]], or [[Active Directory]] that allows users to log in with a user name and password is a typical source of authentication tokens at an identity provider.<ref name="92xv0">{{cite web|url=http://www.informationweek.com/software/information-management/saml-the-secret-to-centralized-identity-management/d/d-id/1028656? | title=SAML: The Secret to Centralized Identity Management |publisher=InformationWeek.com |date=2004-11-23 |access-date=2014-05-23}}</ref> The popular Internet social networking services also provide identity services that in theory could be used to support SAML exchanges.

The [[OASIS (organization)|Organization for the Advancement of Structured Information Standards (OASIS)]] Security Services Technical Committee (SSTC),<ref>{{Cite web |title=SAML Explained Guide |url=https://www.onelogin.com/learn/saml |access-date=2023-08-22 |website=www.onelogin.com |language=en}}</ref> which met for the first time in January 2001, was chartered "to define an XML framework for exchanging authentication and authorization information."<ref name="QmSYw">{{Cite mailing list | last = Maler | first = Eve | mailing-list = security-services at oasis-open | title = Minutes of 9 January 2001 Security Services TC telecon | date= 9 Jan 2001 | url = http://lists.oasis-open.org/archives/security-services/200101/msg00014.html | access-date = 7 April 2011}}</ref> To this end, the following intellectual property was contributed to the SSTC during the first two months of that year: