What is SAML?
SAML stands for the Security Assertions Markup Language
SAML has been developed by the Security Services technical committee of the OASIS standards organization. It provides a standard for exchanging security information about users over the Internet.
SAML is based on XML messages called assertions. Assertions contain information that determine whether users can be authenticated or authorized to use resources. SAML enables single sign-on across trusted domains, such as Web sites or Web Services.
How does SAML exchange security information?
SAML is often illustrated through scenarios in which SAML is used to share authentication and authorization information between parties. The following procedure describes one of these scenarios:
1. User contacts a SAML Authority to obtain a SAML assertion.
2. SAML Authority authenticates the user and issues a signed assertion that specifies which resources (Web sites or Web Services) the user can access.
3. User issues a request containing this assertion to one of the specified Web Services.
4. The receiving Web service uses the assertion to allow the user access without authentication.
Rather than authenticating the user, the SAML Authority signature is examined to ensure that the assertion is valid and has been issued by a trusted SAML authority.
Types of SAML Assertion
In addition to providing authentication information about a user, assertions can provide authorization information. The following describes the different types of SAML assertion:
• Authentication assertion
Contains authentication decisions made about the user. Web sites or Web Services can use this type of assertion as a basis for authenticating a user. An example of how this type of assertion can be used is shown in the previous screen.
• Authorization assertion
Contains authorization decisions made about the user. Web Services use this type of assertion as a basis for granting users authorization. For example, the assertion may state that the user has read access to whitepapers. For this type of assertion to be meaningful, the same types of permission and types of resource must be used by the Web service that created the assertion and the service that uses the assertion to authorize users.
• Attribute assertion
Contains attributes for a user that can be used to determine authorization. Examples of attributes include the identity of a user, and the type of access that the user has been allowed. Web Services use this type of assertion to decide whether a user should be authenticated and the level of authorization they should be granted. Unlike the other two types of assertion, this does not contain decisions that have already been made about the user.
Courtesy:http://www.vordel.com/knowledgebase/tutorial_xml_security/XMLS22.html