SAML Executive OverviewIntroductionThe credo “Think globally, act locally” hastraditionally been associated with the environmentalmovement – providing a helpful principle forguiding effective advocacy efforts and makingpersonal lifestyle choices. The flip-side to this wellknown phrase, namely 'Think locally, act globally'nicely describes the federated model of identitymanagement, as exemplified by Web single sign-on. In order to access protected resources at aservice provider, users authenticate to their identityprovider (they are 'thinking locally' because they donot need to authenticate to a remote serviceprovider, rather they do so to an identity providerwith which they have a closer trust relationship).Based on this authentication, they are then able toaccess resources at one or many service providers('acting globally').

Federation is the dominant movement in identitymanagement today. Federation refers to theestablishment of some or all of businessagreements, cryptographic trust, and user identifiersor attributes across security and policy domains toenable more seamless cross-domain businessinteractions. As web services promise to enableintegration between business partners throughloose coupling at the application and messaginglayer, federation does so at the identitymanagement layer - insulating each domain fromthe details of the others' authentication andauthorization infrastructure.

Key to this loose coupling at the identitymanagement layer are standardized mechanismsand formats for the communication of identityinformation between the domains – the standardprovides the insulating buffer. The SecurityAssertion Markup Language (SAML) defines justsuch a standard.

What Is SAML?SAML, developed by the Security ServicesTechnical Committee of the Organization for theAdvancement of Structured Information Standards(OASIS), is an XML-based framework forcommunicating user authentication, entitlement,and attribute information. As its name suggests,SAML allows business entities to make assertionsregarding the identity, attributes, and entitlements ofa subject (an entity that is often a human user) toother entities, such as a partner company oranother enterprise application.

SAML is a flexible and extensible protocol designedto be used – and customized if necessary – by otherby other standards.The Liberty Alliance, theInternet2 Shibboleth project, and the OASIS WebServices Security (WS-Security) committee have alladopted SAML as a technological underpinning forvarious purposes.

SAML HistorySAML V1.0 became an OASIS standard inNovember 2002. SAML V1.1 followed in September2003 and has seen significant success, gainingmomentum in financial services, higher education,government, and other industry segments. SAMLhas been broadly implemented by all major Webaccess management vendors. SAML is alsosupported in major application server products andSAML support is also common among Webservices management and security vendors. SAMLV2.0 builds on that success.

Many of these implementations have demonstratedsucccessful interoperability at a series of events –the latest of which was held at the 2005 RSAConference. The OASIS SAML Interoperability Lab,sponsored by the US Government's GSA, usedthree separate scenarios to demonstrate SAML-based interaction between a government orenterprise portal and sites from typical content orservice providers.

SAML V2.0 unifies the building blocks of federatedidentity in SAML V1.1 with input from both highereducation's Shibboleth initiative and the LibertyAlliance's Identity Federation Framework. As such,SAML V2.0 is a critical step towards fullconvergence for federated identity standards.

What Are the Advantages ofSAML?

The benefits of SAML include:

• Platform neutrality – SAML abstracts thesecurity framework away from platformarchitectures and particular vendorimplementations. Making security moreindependent of application logic is an importanttenet of Service-Oriented Architecture.

• Loose coupling of directories – SAML doesnot require user information to be maintainedand synchronized between directories.

• Improved online experience for end users –SAML enables single sign-on by allowing usersto authenticate at an identity provider and then

sstc-saml-exec-overview-2.0-draft-06 10 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 1 of 5

access service providers without additionalauthentication. In addition, identity federation(linking of multiple identities) with SAML allowsfor a better-customized user experience at eachservice while promoting privacy.

• Reduced administrative costs for serviceproviders - Using SAML to 'reuse' a single actof authentication (such as logging in with ausername and password) multiple times acrossmultiple services can reduce the cost ofmaintaining account information.This burden istransferred to the identity provider.

• Risk transference – SAML can act to pushresponsibility for proper management ofidentities to the identity provider, which is moreoften compatible with its business model thanthat of a service provider.

How Is SAML Being Used?As befits a general framework for communicatingsecurity and identity information, SAML is beingapplied in a number of different ways, the majorones of which are presented here.

Web SSOIn web single sign-on, a user authenticates to oneweb site and then, without additional authentication,is able to access some personalized or customizedresources at another site. SAML enables web SSOthrough the communication of an authenticationassertion from the first site to the second which, ifconfident of the origin of the assertion, can chooseto log in the user as if they had authenticateddirectly. The basic SSO model is shown in the diagrambelow. A principal authenticates at the identityprovider and is subsequently appropriatelyrecognized as (and given correspondingaccess/service) at the service provider.

Attribute-Based AuthorizationSimilar to the Web SSO scenario, the attribute-based authorization model has one web sitecommunicating identity information about a subjectto another web site in support of some transaction.However, the identity information may be somecharacteristic of the subject (such as a person's rolein a B2B scenario) rather than, or in addition to,information about when and how the person wsaauthenticated. The attribute-based authorizationmodel is important when the individual's particularidentity is either not important, should not be shared(for privacy reasons), or is insufficient on its own.

Securing Web ServicesSAML assertions can be used within SOAPmessages in order to carry security and identityinformation between actors in web servicetransactions. The SAML Token Profile of the OASISWS-Security TC specifies how SAML assertionsshould be used for this purpose. The LibertyAlliance's Identity Web Service Framework (ID-WSF) also uses SAML assertions as the basesecurity token for enabling secure and privacy-respecting access to web services.

What Are the Components ofSAML?

SAML is defined in terms of assertions, protocols,bindings, and profiles.

sstc-saml-exec-overview-2.0-draft-06 10 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 2 of 5

AssertionsAn assertion is a package of information thatsupplies one or more statements made by a SAMLauthority. SAML defines three different kinds ofassertion statement that can be created by a SAMLauthority.

• Authentication: The specified subject wasauthenticated by a particular means at aparticular time. This kind of statement is typicallygenerated by a SAML authority called an identityprovider, which is in charge of authenticatingusers and keeping track of other informationabout them.

• Attribute: The specified subject is associatedwith the supplied attributes.

• Authorization Decision: A request to allow thespecified subject to access the specifiedresource has been granted or denied.

The outer structure of an assertion is generic,providing information that is common to all of thestatements within it. Within an assertion, a series ofinner elements describe the authentication,attribute, authorization decision, or user-definedstatements containing the specifics. The diagrambelow illustrates the high-level structure of a typicalSAML authentication assertion.

ProtocolsSAML defines a number of request/responseprotocols that allow service providers to:

• Request from a SAML authority one or more

assertions (includes a direct request of thedesired assertions, as well as querying forassertions that meet particular criteria)

• Request that an identity provider authenticate aprincipal and return the corresponding assertion

• Request that a name identifier be registered

• Request that the use of an identifier beterminated

• Retrieve a protocol message that has beenrequested by means of an artifact

• Request a near-simultaneous logout of acollection of related sessions (“single logout”)

• Request a name identifier mapping

BindingsMappings from SAML request-response messageexchanges into standard messaging orcommunication protocols are called SAML protocolbindings. For instance, the SAML SOAP Bindingdefines how SAML protocol messages can becommunicated within SOAP messages, whilst theHTTP Redirect binding defines how to pass protocolmessages through HTTP redirection.

ProfilesGenerally, a profile of SAML defines constraintsand/or extensions in support of the usage of SAMLfor a particular application – the goal being toenhance interoperability by removing some of theflexibility inevitable in a general-use standard. Forinstance, the Web Browser SSO Profile specifieshow SAML authentication assertions arecommunicated between an identity provider andservice provider to enable single sign-on for abrowser user.

The Web SSO Profile details how to use the SAMLAuthentication Request/Response protocol inconjunction with different combinations of the HTTPRedirect, HTTP POST, HTTP Artifact, and SOAPbindings.

Another type of SAML profile is an attribute profile.– SAML defines a series of attribute profiles toprovide specific rules for interpretation of attributesin SAML attribute assertions. An example is theX.500/LDAP profile, describing how to carryX.500/LDAP attributes within SAML attributeassertions.

What's New in SAML V2.0?SAML V2.0 introduces a number of new features,

sstc-saml-exec-overview-2.0-draft-06 10 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 3 of 5

including:

• Pseudonyms – SAML V2.0 defines how anopaque pseudo-random identifier with nodiscenible correspondence with meaningfulidentifiers (for example, emails or accountnames) can be used between providers torepresent principals. Pseudonyms are a keyprivacy-enabling technology because they inhibitcollusion between multiple providers (as wouldbe possible with a global identifier such as anemail address),

• Identifier management – SAML V2.0 defineshow two providers can establish andsubsequently manage the pseudonym(s) for theprincipals for whom they are operating.

• Metadata – The metadata specification defineshow to express configuration and trust-relateddata to make deployment of SAML systemseasier. In doing this, it identifies the actorsinvolved in the various profiles, such as SSOIdentity Provider and Service Provider, andAttribute Authority and Requester.

The data that must be agreed on betweensystem entities includes supported roles,identifiers, supported profiles, URLs, certificatesand keys.

• Encryption – SAML V2.0 permits attributestatements, name identifiers, or entire assertionsto be encrypted. This feature ensures that end-to-end confidentiality of these elements may besupported as needed.

• Attribute Profiles – Attribute profiles simplifythe configuration and deployment of systemsthat exchange attribute data. The attributeprofiles include:

Basic attribute profile: supports string attributenames and attribute values drawn from XMLschema primitive type definitions.

X.500/LDAP attribute profile: supports canonicalX.500/LDAP attribute names and values.

UUID Attribute Profile: Use of UUIDs as attributenames.

XACML Attribute Profile: formats suitable forprocessing by XACML.

• Session management – The single logoutprotocol in SAML V2.0 provides a protocol bywhich all sessions provided by a particularsession authority can be near-simultaneouslyterminated. As an example, if a principal, afterauthenticating at an identity provider, achievedsingle sign-on to multiple service providers, they

could be automatically logged out of all of thoseservice providers at the request of the identityprovider.

• Devices – SAML V2.0 introduces new supportfor the mobile world – addressing both thechallenges introduced by device and bandwidthconstraints and the opportunities made possibleby emerging smart or active devices.

• Privacy Mechanisms – SAML V2.0 includesmechanisms that allow providers tocommunicate privacy policy and settings. Forinstance, SAML makes it possible to obtain andexpress a principal's consent to some operationbeing performed.

• Identity provider discovery – In deploymentshaving more than one identity provider, serviceproviders need a means to discover whichidentity provider(s) a principal uses. The identityprovider discovery profile relies on a cookiewritten in a common domain between identityand service providers.

How Does SAML Relate to OtherStandards and Initiatives?

SAML is used by several other standards groups toprovide a security and identity underpinning for theirwork.

Liberty AllianceThe Liberty Alliance is an industry consortiumdefining standards for federated identity – includingenabling simplified sign-on through federatednetwork identification using current and emergingnetwork access devices, as well as supporting andpromoteing permission-based attribute sharing toenable a user's choice and control over the use anddisclosure of his/her personal identification.

Liberty had defined its Identity FederationFramework (ID-FF) on the base provided by SAMLV1.x, layering additional functionality on top.Recognizing the value of a single standard forfederated SSO, the Alliance submitted ID-FF V1.2back into the OASIS Security Services TechnicalCommittee as input for SAML V2.0.

Liberty's Identity Web Services Framework (ID-WSF), a platform for securing identity-based webservices, continues to evolve within the LibertyAlliance. Liberty ID-WSF uses SAML assertions asthe security token format by which theauthentication and authorization informationassociated with the various web service actors arecommunicated amongst them.

sstc-saml-exec-overview-2.0-draft-06 10 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 4 of 5

ShibbolethShibboleth is a project within the Internet2 higher-education consortium to develop technical andpolicy frameworks and an open software system forthe sharing of online resources among researchers,professors, and students, . Like Liberty, Shibbolethprofiled SAML for its particular requirements and,also like Liberty, built privacy management into itsarchitecture. Shibboleth's input has been fed backinto SAML V2.0.

XACMLXACML (eXtensible Access Control MarkupLanguage) is an XML-based language for accesscontrol that has been standardized in OASIS.XACML describes both an access control policylanguage and a request/response language. Thepolicy language is used to express access controlpolicies ('who can do what when'). Therequest/response language expresses queriesabout whether a particular access should beallowed (requests) and describes answers to thosequeries (responses). The newest versions ofXACML and SAML have been designed tocomplement each other; for example, an XACMLpolicy can specify what a provider should do when itreceives a SAML assertion, and XACML-basedattributes can be expressed in SAML.

WS-SecurityWS-Security is an OASIS standard that specifieshow SOAP messages can have their integrity andconfidentiality ensured. WS-Security defines aframework for securing SOAP messages, with thespecifics being defined in profiles determined by thenature of the security token used to carry identityinformation. So, for instance, there are differentprofiles of WS-Security for various different securitytoken formats such as X.509 certificates andKerberos tickets. As already noted in the SecuringWeb Services section above, there is also a SAMLtoken profile of WS-Security that specifies howSAML assertions can be used to provide messagesecurity.

Additionally, SAML itself points to WS-Security asan approved mechanism for securing SOAPmessages carrying SAML protocol messages andassertions.

SummaryA federated identity is one that is both portable andpotable, that is, it can be transported and consumedacross autonomous domains or business

boundaries. Effective identity federation benefitsboth users and enterprises - providing principalswith a smooth, cross-domain browsing experiencethrough SSO and allowing enterprises to makeavailable its resources to a class of users withoutthe associated administrative costs.

SAML has emerged as the gold standard forfederated identity. By defining standardizedmechanisms for the communication of security andidentity information between business partners,SAML makes federated identity, and the cross-domain transactions that it enables, a reality.Importantly, with SAML V2.0, the industry has takena key step towards convergence in the federatedidentity management standards space.

Revision History# Date By Whom What00 18 Jun

2004Paul Madsen Initial draft.

01 30 Jun2004

Paul Madsen Expanded on What is SAMLsection, Added Benefits section,New Stack diagram, New 'Whatsnew in SAML2' section, removedsection on federation models

02 01 Nov,2004

Paul Madsen Expanded 'Other Standards'section, removed web servicesstack diagram, filled in 'What'sNew' section

03 18 Jan2005

Paul Madsen Moved into two column format ,removed boilerplate etc

04 1 Feb2005

Paul Madsen Added text from Prateek andEve, Tom, and Scottt

05 17 Feb2005

Paul Madsen 'assertions' -> assertion in SAMLexpansion

06 Mar 10,2005

Eve Maler Editorial cleanup

sstc-saml-exec-overview-2.0-draft-06 10 March 2005Copyright © OASIS Open 2005. All Rights Reserved. Page 5 of 5