What is SAML

What is SAML?

SAML stands for the Security Assertions Markup Language
SAML has been developed by the Security Services technical committee of the OASIS standards organization. It provides a standard for exchanging security information about users over the Internet.
SAML is based on XML messages called assertions. Assertions contain information that determine whether users can be authenticated or authorized to use resources. SAML enables single sign-on across trusted domains, such as Web sites or Web Services.

How does SAML exchange security information?
SAML is often illustrated through scenarios in which SAML is used to share authentication and authorization information between parties. The following procedure describes one of these scenarios:
1. User contacts a SAML Authority to obtain a SAML assertion.
2. SAML Authority authenticates the user and issues a signed assertion that specifies which resources (Web sites or Web Services) the user can access.
3. User issues a request containing this assertion to one of the specified Web Services.
4. The receiving Web service uses the assertion to allow the user access without authentication.
Rather than authenticating the user, the SAML Authority signature is examined to ensure that the assertion is valid and has been issued by a trusted SAML authority.

Types of SAML Assertion
In addition to providing authentication information about a user, assertions can provide authorization information. The following describes the different types of SAML assertion:

• Authentication assertion
Contains authentication decisions made about the user. Web sites or Web Services can use this type of assertion as a basis for authenticating a user. An example of how this type of assertion can be used is shown in the previous screen.

• Authorization assertion
Contains authorization decisions made about the user. Web Services use this type of assertion as a basis for granting users authorization. For example, the assertion may state that the user has read access to whitepapers. For this type of assertion to be meaningful, the same types of permission and types of resource must be used by the Web service that created the assertion and the service that uses the assertion to authorize users.

• Attribute assertion
Contains attributes for a user that can be used to determine authorization. Examples of attributes include the identity of a user, and the type of access that the user has been allowed. Web Services use this type of assertion to decide whether a user should be authenticated and the level of authorization they should be granted. Unlike the other two types of assertion, this does not contain decisions that have already been made about the user.

Courtesy:http://www.vordel.com/knowledgebase/tutorial_xml_security/XMLS22.html

Authentication Steps in Oracle Access Manager 10।1.4

Authentication Steps in Oracle Access Manager 10.1.4

1. HTTP request
2. AccessGate: Is the resource protected?
3. AccessServer: checks the directory server for policy
4. Directory Server responds to Access Server
5. Access Sever responds to WebGate with policy information
6. WebGate presents the Challenge
7. User Credentials to Access Gate
8. AccessGate passes Credentials to Access Server
9. Access Server calls one or more authentication plug-ins
10. Access Server checks directory server for DN.
11. Directory Server responds with zero or 1 dn.
12. Access Server responds to Access Gate
13. Successful Authentication
14. Encrypted Cookie Set for browser
15. Is the user authorized? What are associated actions?
16. Access Server checks directory server for policy
17. Directory Server responds to Access Server
18. Access Server responds to WebGate with policy information
19. Returns requested resource.

Active Directory Application Mode (ADAM)

Active Directory Application Mode (ADAM) is a new mode of Active Directory that is designed specifically for directory-enabled applications. ADAM is a Lightweight Directory Access Protocol (LDAP) directory service that runs as a user service, rather than as a system service. You can run ADAM on servers and domain controllers running operating systems in the Windows Server 2003 family (except for Windows Server 2003, Web Edition) and also on client computers running Windows XP Professional.

ADAM does not require the deployment of domains or domain controllers. You can run multiple instances of ADAM concurrently on a single computer, with an independently managed schema and independently managed data for each ADAM instance.

The ideal environment for ADAM includes the following:
•A computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; or Windows XP Professional and containing hardware that meets the minimum hardware requirements of each respective operating system
•For environments consisting of multiple, replicating ADAM instances, the presence of a fully functioning replication topology
•A regular backup schedule

Complete ADAM

Oracle Access Manager FAQ

FAQ’S on OAM 10g3

Introductory tutorial of identity management

Introductory tutorial of identity management