Lets take a more detailed look at each of the SAML components. There are 4 major SAML components: assertion, protocol, binding, and profile.

1). Assertions: SAML allows for one party to assert security information in the form of statements about a subject. For instance, a SAML assertion could state that the subject is named "Sandeep Joshi", has an email address of javagenious.com@gmail.com, and is a member of the "Java Lovers" group.
An assertion contains some basic required or optional information that applies to all its statements. SAML defines three kinds of statements that can be carried within an assertion:

Authentication statements: These are created by the party that successfully authenticated a user. At a minimum, they describe the particular means used to authenticate the user and the specific time at which the authentication took place.

Attribute statements: These contain specific identifying attributes about the subject (for example, that user “John Doe” has “Gold” card status).

Authorization decision statements: These define something that the subject is entitled to do (for example, whether “John Doe” is permitted to buy a specified item).

 

2). Protocols: SAML defines a number of generalized request/response protocols:

Authentication Request Protocol: Defines a means by which a principal (or an agent acting on behalf of the principal) can request assertions containing authentication statements and,optionally, attribute statements. The Web Browser SSO Profile uses this protocol when redirecting a user from an SP to an IdP when it needs to obtain an assertion in order to establish a security context for the user at the SP.

Single Logout Protocol: Defines a mechanism to allow near-simultaneous logout of active sessions associated with a principal. The logout can be directly initiated by the user, or initiated by an IdP or SP because of a session timeout, administrator command, etc.

Assertion Query and Request Protocol: Defines a set of queries by which SAML assertions may be obtained. The Request form of this protocol can ask an asserting party for an existing assertion by referring to its assertion ID. The Query form of this protocol defines how a relying party can ask for assertions (new or existing) on the basis of a specific subject and the desired statement type.

Artifact Resolution Protocol: Provides a mechanism by which SAML protocol messages may be passed by reference using a small, fixed-length value called an artifact. The artifact receiver uses the Artifact Resolution Protocol to ask the message creator to dereference the artifact and return the actual protocol message. The artifact is typically passed to a message recipient using one SAML binding (e.g. HTTP Redirect) while the resolution request and response take place
over a synchronous binding, such as SOAP.

Name Identifier Management Protocol: Provides mechanisms to change the value or format of the name identifier used to refer to a principal. The issuer of the request can be either the service provider or the identity provider. The protocol also provides a mechanism to terminate an association of a name identifier between an identity provider and service provider.

Name Identifier Mapping Protocol: Provides a mechanism to programmatically map one SAML name identifier into another, subject to appropriate policy controls. It permits, for example, one SP to request from an IdP an identifier for a user that the SP can use at another SP in an application integration scenario.

3). Bindings: SAML bindings detail exactly how the various SAML protocol messages can be carried over underlying transport protocols.

4). Profiles: SAML profiles define how the SAML assertions, protocols, and bindings are combined and constrained to provide greater interoperability in particular usage scenarios. Some of these profiles are examined in detail later in this document.


Enter your email address:

Delivered by FeedBurner



Sandeep Joshi
Mathematics, Technology and Programming are my passion. I am a part of Java Ecosystem and through this blog, I contribute to it. I am here to blog about my interests, views and experiences.
I am on Google+ and Facebook.
I feel proud to be listed as a "National Memory Record Holder" in the Limca Book of Records, 2009 and have attempted for an International Memory record in the Guiness Book of Records. I can remember the value of PI upto 10,000 digits after the decimal (3.1415.....). You can contact me on javagenious.com(At)gmal.com ; I would like to hear from you :)