Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

SAML stands for Security Assertion Markup Language, which is a an XML based data format for exchanging authentication and authorization data between an identity provider and a service provider. The single most important requirement that SAML addresses is web browser single sign-on (SSO). Three main roles are defined in SAML Specification.

  1. The Principal: This is typically the user who requires a service from tries to access a protected resource or service of a service provider entity.
  2. The Identity Provider: The SAML authority which provides the identity assertion to authenticate a principal An Identity Provider (IdP) is responsible for authenticating users and issuing assertions which include authentication/authorization decisions and user attributes.
  3. The Service Provider: The SAML consumer which provides service for principalsA Service Provider(SP) consumes the assertions issued by Identity Provider and provides services to the principals.

The main use case scenario covered by SAML is the Principal (the user) requesting access to resource or service from the Service Provider. Then the Service Provider, using SAML, communicates with the Identity Provider to obtain identity assertion. The Service Provider makes the access control decision, depending on this assertion.

...

SAML 2.0 provides five main specifications:

This article provides more information about above specifications.

SAML 2.0 web browser-based SSO profile

...

  1. The service provider determines which identity provider to use (this is the case when there are multiple identity providers. SAML identity provider discovery profile may be used).
  2. The service provider generates a SAML message and then redirects the web browser to the identity provider along with the message.
  3. Identity provider authenticates the user.
  4. The identity provider generates a SAML message and then redirects the web browser back to the service provider.
  5. The service provider processes the SAML message and decides to grant or deny access to the user.

...

Info

Identity-agent-sso is an implementation of all the details discussed above, which can be used to implement SSO enabled web applications. Travelocity is a sample SSO enabled web-app, which is implemented based on Identity-agent-sso.

Relay state

The RelayState parameter is used so that the service provider can pass some value to the identity provider with the AuthnRequest and get the same value back with the Response. This value can be any string and can be useful for service provider application logic (when there is a failure, redirecting to the URL that comes as the RelayState parameter is one way that this can be used).

  • For a inbound request to the Identity Server, if the RelayState parameter is present, the Identity Server sends back the same value in the response.
  • For federation using SAML2, the Identity Server uses the RelayState parameter to pass the session index, which is required to continue the authentication flow after receiving authentication response.

Identity provider initiated SSO

...