Novell Documentation: SAML Extension for Novell iChain

Defining SAML

SAML is an XML language intended to facilitate the exchange of authentication, attribute, and authorization information. Why invent a new language to do this? First, authentication and permissions information is shared in mostly proprietary ways. This means that in most cases, for two different systems to communicate security information, custom code must be developed. Second, Web-based applications need to be able to authenticate across domains more easily. Simply passing usernames and passwords is not sufficient for enterprise applications.

Common Web Application Scenarios

There are numerous ways SAML-based technology can add functionality to identity-based applications. A few examples are:

A user is a member of a pharmaceutical research organization and is logged in to his or her research portal. The user should have access to a sister organization's application to obtain clinical trial data. The user should be able to access trial data for the only the drugs his or her organization is working with.
A corporate admin user can access a supplier's Web site to order office supplies. The user is granted access to supplies for which he or she has been cleared to purchase and can only purchase a certain quantity of goods.
A corporate portal user wants to enroll in the company's benefits program. The user selects a link to the benefits provider who can present the employee with the appropriate benefits options, and can automatically enroll the user into the desired programs.

SAML Use Cases

SAML was developed to handle three generate types of use cases:

Single sign-on
Authorization services
Back-office transactions

Single Sign-On

This is the most intuitive SAML use case. A user logs in to a source site. The user selects a link at the source site, directing him or her to a secure resource on a destination site. The destination site is able to authenticate the user and provide the user with the secure resource.

Authorization Services

A user has authenticated to a site and/or application. The user access to a resource controlled by a Policy Enforcement Point (PEP). The PEP checks for user access to the desired resource. The user is either granted or denied access to the resource. SAML is used as the communication mechanism between the PEP and a Policy Decision Point (PDP). In Novell product terminology, a PEP could be thought of as iChain^®, and the PDP as Novell^® eDirectory^TM or another service.

Back-Office Transactions

A corporate user has logged into his or her company portal and wants to order office supplies. The office supply company can authenticate the user and determine if the user has rights to order the supplies, as well as what the user's spending limit is.

SAML Requirements

SAML provides the following key features that make the above-mentioned use cases possible:

A standard XML format
An XML schema defining SAML assertions
A standard message exchange protocol
An XML schema defining SAML messages
Bindings to transport protocols
Rules describing how messages are transmitted over different communications protocols (HTTP, HTTPS)

SAML 1.0 Features

SAML is, in essence, an XML schema and encoding for expressing security information. SAML-encoded security information is referred to as an assertion. A SAML assertion can contain a number of different SAML statements containing information about authentication, attributes, and authorization.

SAML also includes an XML schema and encoding system for making SAML requests and responses. A system receiving a user with SAML information needs to request an assertion from the user's source site. A Policy Enforcement Point (PEP) that needs authorization information can make that request to a Policy Decision Point (PDP) using SAML.

Finally, SAML includes a set of bindings that define how SAML messages, requests and responses are transported over different messaging protocols.

SAML 1.0 was recently submitted and ratified by the OASIS organization. This specification contains SAML bindings to SOAP over HTTP and HTTPS, as well as Web SSO profiles.

As of when this document was produced, SAML 1.1 is still in development. One of the major additions to SAML 1.1 will be the inclusion of a SAML binding to WS-Security.