SAML: Introduction

Posted on by Ganesh Sivam

Before reading about this blog post, refer Cross-Domain SSO (Federation) post to get the feel of Federation which is vital to understand SAML in general.

  • Security Assertion Markup Language (SAML) is an XML-based framework and a standard (developed by OASIS) for single sign-on (SSO).
  • Sometimes this is also called as SAML-P (“P” stands for Protocol).
  • Authentication and Authorization information are exchanged through digitally signed XML documents between two entities:
    • Identity Provider (IdP) – a provider of user identity
    • Service Provider (SP) – a provider rely on IdP for user to get access to a service
  • The SP agrees to trust (i.e., Circle of Trust) IdP to authenticate users.
  • In return, the IdP generates an authentication assertion (a token) about a user/ subject, which indicates that a user has been authenticated.
  • It should be noted that SAML assertions are not always security tokens.
    • What turns a SAML assertion into a token is the SubjectConfirmation construct inside it and that construct is open to any token type, proof mechanism, trust model, etc.
  • SAML standard heavily used in enterprise applications (such as B2B) than in internet service applications.
  • Earlier versions of SAML are V1.0, V1.1, but latest SAML V2.0 is a complete federated identity standards.

Benefits

  1. Standardization: SAML is a open standard that allows seamless interoperability between systems and independent of any proprietary implementation.
  2. Increased Security: SAML uses XML Security to encrypt and sign the assertion, hence the assertion sent by IdP to SP conforms to confidentiality and integrity.
  3. Improved User Experience: Since SP dependent on IdP and end-user just need to login at that IdP, the end-user gets seamless access to multiple SPs’ without re-login.
  4. Risk Transference: IdP takes onus responsibility of managing identities and issuing assertion on AuthN request by SP and SP is free from these risky responsibilities.

Models

There are 3 major models to use SAML as a protocol to communicate security and identity information between parties.

  1. Web-SSO
    • In web single sign-on (using browser), a user authenticates to one web site (the IdP) and then, without additional authentication, is able to access resources at another site (the SP). This model is widely used in enterprises.
  2. Attribute-Based Authorization
    • One web site (the IdP) communicating identity information about a subject (such as role, groups, etc) to another web site(the SP) in support of some transaction.
  3. Securing Web Services
    • SAML assertions can be used within SOAP messages in order to carry security and identity information between web services transactions. Nowadays. this usage has been taken over by OAuth.

Building Blocks

SAML consists of a number of building-block components, when put together supports various use cases. They are:

  1. Assertions
  2. Protocols
  3. Bindings
  4. Profiles
  5. Metadata

1. Assertions

An assertion is a package of identity and security information sent by IdP to SP and all has defined XML schemas to express. There are 3 kinds of assertion statements.

  • Authentication
    • The specified subject was authenticated by a particular means at a particular time. (Eg: user alice is authenticated at 10am with implicit trust method)
  • Attribute
    • The specified subject is associated with the supplied attributes. (Eg: role of a subject)
  • Authorization Decision
    • The specified subject can be granted or denied to access a specified resource. (Eg: user has READ access to a resource)

2. Protocols

SAML defines a number of request/ response protocols to communicate between IdP and SP and all has defined XML schemas to express. There are 6 kinds of protocols.

  • Assertion Query and Request Protocol
    • Querying for assertions that meet particular criteria
    • A direct request of the desired assertions
  • Authentication Request Protocol
    • Request for subject authentication and response for corresponding assertion.
  • Artifact Protocol
    • Retrieve an assertion that has been requested by means of an artifact (or reference). It’s a Base64-encoded unique string reference.
  • Name Identifier Management Protocol
    • Request that a name identifier be registered.
    • Request that the use of an identifier be terminated.
  • Single Logout Protocol
    • Request a near-simultaneous logout of a collection of related user sessions (“single logout”).
  • Name Identifier Mapping Protocol
    • Request a name identifier mapping or account linking.

3. Bindings

Defines transport mechanism of SAML request-response messages. There are 5 kinds of bindings that SAML Supports.

  • SOAP Binding
    • How SAML messages can be communicated within SOAP messages?
  • Reverse SOAP (PAOS) Binding
    • How a multi-stage SOAP/HTTP message exchange that permits a HTTP client to be a SOAP responder?
  • HTTP Redirect
    • How to pass SAML messages through HTTP redirection (302 status code)?
  • HTTP POST
    • How to pass base64-encoded SAML messages through HTTP POST?
  • HTTP Artifact Binding
    • How to refer a SAML request or response to an artifact (or reference) in HTTP?

4. Profiles

Describes in detail how SAML assertions, protocols, and bindings combine to support a defined use case. The following are 9 types of profile (or use case) that SAML solves.

  • Web Browser SSO Profile
    • How to enable single sign-on for a user in a web-browser?
    • Uses: Authentication Request Protocol, HTTP POST/ Redirect/ Artifact Bindings.
  • Enhanced Client and Proxy (ECP) Profile
    • How protocol messages are used when combined with the Reverse-SOAP binding (PAOS)?
    • Designed to support mobile devices front-ended by a WAP gateway.
  • Identity Provider Discovery Profile
    • How a SP can discover which IdPs a principal is for authentication?
  • Single Logout Profile
    • How SOAP, HTTP Redirect, HTTP POST and HTTP Artifact bindings may be used for logout?
  • Name Identifier Management Profile
    • How the Name Identifier Management protocol may be used with SOAP, HTTP Redirect, HTTP POST and HTTP Artifact bindings?
  • Artifact Resolution Profile
    • How the Artifact Resolution protocol uses a synchronous binding, for example the SOAP binding?
  • Assertion Query/Request Profile
    • How the SAML query protocols (used for obtaining SAML assertions) use a synchronous binding such as the SOAP binding?
  • Name Identifier Mapping Profile
    • How the Name Identifier Mapping protocol uses a synchronous binding such as the SOAP binding?
  • Attribute Profile
    • How naming and representation of attributes in some format to attribute as a SAML attribute. (Eg:  X.500/LDAP attributes in SAML attribute assertions).

6. Metadata

  • The metadata is an implementation of Circle of Trust concept.
  • Defines how to express configuration and trust-related data between IdP and SP.
  • The data that must be agreed on between IdP and SP which includes supported roles, identifiers, profiles, URLs, certificates and keys.

Basic Flow

Refer Cross-Domain SSO (Federation) for basic flow of SAML2.0 Protocol.

Component Relationship

saml-comp.png
SAML Component Relationship

Published by Ganesh Sivam

2 thoughts on “SAML: Introduction”

Leave a comment