Defining SAML

SAML is an XML language intended to facilitate the exchange of authentication, attribute, and authorization information. Why invent a new language to do this? First, authentication and permissions information is shared in mostly proprietary ways. This means that in most cases, for two different systems to communicate security information, custom code must be developed. Second, Web-based applications need to be able to authenticate across domains more easily. Simply passing usernames and passwords is not sufficient for enterprise applications.

Common Web Application Scenarios

There are numerous ways SAML-based technology can add functionality to identity-based applications. A few examples are:

SAML Use Cases

SAML was developed to handle three generate types of use cases:

Single Sign-On

This is the most intuitive SAML use case. A user logs in to a source site. The user selects a link at the source site, directing him or her to a secure resource on a destination site. The destination site is able to authenticate the user and provide the user with the secure resource.

Authorization Services

A user has authenticated to a site and/or application. The user access to a resource controlled by a Policy Enforcement Point (PEP). The PEP checks for user access to the desired resource. The user is either granted or denied access to the resource. SAML is used as the communication mechanism between the PEP and a Policy Decision Point (PDP). In Novell product terminology, a PEP could be thought of as iChain®, and the PDP as Novell® eDirectoryTM or another service.

Back-Office Transactions

A corporate user has logged into his or her company portal and wants to order office supplies. The office supply company can authenticate the user and determine if the user has rights to order the supplies, as well as what the user's spending limit is.

SAML Requirements

SAML provides the following key features that make the above-mentioned use cases possible:

SAML 1.0 Features

SAML is, in essence, an XML schema and encoding for expressing security information. SAML-encoded security information is referred to as an assertion. A SAML assertion can contain a number of different SAML statements containing information about authentication, attributes, and authorization.

SAML also includes an XML schema and encoding system for making SAML requests and responses. A system receiving a user with SAML information needs to request an assertion from the user's source site. A Policy Enforcement Point (PEP) that needs authorization information can make that request to a Policy Decision Point (PDP) using SAML.

Finally, SAML includes a set of bindings that define how SAML messages, requests and responses are transported over different messaging protocols.

SAML 1.0 was recently submitted and ratified by the OASIS organization. This specification contains SAML bindings to SOAP over HTTP and HTTPS, as well as Web SSO profiles.

As of when this document was produced, SAML 1.1 is still in development. One of the major additions to SAML 1.1 will be the inclusion of a SAML binding to WS-Security.