Innovative Technology Services
What is SAML?
Summary
The SAML (Security Assertion Markup Language) framework is a standard ratified by OASIS that facilitates the exchange of authentication and authorisation information across disparate systems. This means service providers (the owners of web-based resources) can query identity providers (the owners of data about users) for information about their users and grant access based on that information. The framework consists of an XML language that defines the structure of messages that are exchanged by systems to share user data. The framework also defines rules about the content of these messages and how they should be exchanged.
SAML has rapidly become a standard means of exchanging security information. Many commercial and non-commercial products now incorporate SAML functionality. The main advantage of using SAML is that the exchange is application neutral. That is, different applications using different architectures can be made to interoperate in a predictable and secure manner.
The types of messages defined within the SAML framework are either assertions or requests for assertions. Requests for assertions are made by service providers and contain information about the service provider. Assertions are made by identity providers, contain information about a user, and can be authentication assertions or attribute assertions. Authentication assertions contain information such as 'this person has logged into university of X using a username and password'. Attribute assertions contain information, such as 'This person is called John Smith and is a member of department X', that can be used by service providers as the basis for finer-grade authorisation decisions.
SAML allows extensions, referred to as SAML 'profiles', to the basic protocol.. Shibboleth is one such profile. Extensions specific to Shibboleth include the concept of anonymity, federations, and a common set of attributes as defined by the eduPerson attribute schema.External links
- 'Debunking SAML myths and misunderstandings - Getting to know the Security Assertion Markup Language' from IBM
- Homepage at OASIS
- OpenSAML - An Open Source implementation of SAML