What is SAML (Security Assertion Markup Language)?  

Security Assertion Markup Language (SAML) is an XML-based framework for managing and exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider. It is widely used in Single Sign-On (SSO) scenarios to facilitate user authentication across different applications and services. 

History and Evolution 

Origins and Early Development 

Initial Development: SAML was developed by the OASIS (Organization for the Advancement of Structured Information Standards) Security Services Technical Committee. The goal was to create a standardized method for exchanging authentication and authorization data, which was increasingly needed as web-based applications and services proliferated. 

Version 1.0: The first version of SAML, 1.0, was released in November 2002. This version laid the groundwork for XML-based protocols in identity federation, which enabled organizations to delegate authentication and authorization responsibilities securely. 

Key Milestones 

SAML 1.1: Released in 2003, SAML 1.1 built on the initial version by improving the standard’s interoperability and providing better support for various use cases. It introduced more detailed assertions and refined protocols. 

SAML 2.0: SAML 2.0 was a major overhaul released in March 2005. It represented a significant advancement from SAML 1.1, integrating features from other identity standards like Liberty Alliance’s ID-FF. SAML 2.0 is more widely used today and includes: 

Improved Single Sign-On (SSO) Capabilities: Enhanced support for a variety of SSO scenarios. 

Metadata Exchange: More robust metadata exchange for better configuration and interoperability. 

Enhanced Security Features: Improved cryptographic options and security practices. 

Broader Protocols Support: Compatibility with various web services and applications. 

Core Components 

SAML operates using several core components: 

Assertions: 

Authentication Assertion: Confirms that a user has been authenticated by an identity provider. 

Attribute Assertion: Contains attributes about a user, such as email addresses, roles, or group memberships. 

Authorization Decision Assertion: Specifies whether a user is allowed to access a resource. 

Protocols: 

Authentication Request Protocol: The mechanism by which a service provider requests authentication from an identity provider. 

Single Logout Protocol: Handles logout requests to ensure that a user is logged out from all services. 

Bindings: 

HTTP Redirect Binding: Transmits SAML messages using HTTP redirects. 

HTTP POST Binding: Sends SAML messages via HTTP POST requests. 

SOAP Binding: Allows SAML messages to be transmitted over SOAP (Simple Object Access Protocol). 

Profiles: 

Web Browser SSO Profile: Provides a standard way for SSO interactions between a web browser and SAML-based services. 

Enhanced Client or Proxy Profile: Used for applications that interact with SAML in environments other than web browsers. 

How SAML Works: The SSO Journey 

User Requests Access: A user attempts to access a service or application (the service provider). 

Redirect to Identity Provider: The service provider redirects the user to an identity provider for authentication. 

Authentication by Identity Provider: The user provides their credentials to the identity provider. 

SAML Assertion Issuance: Upon successful authentication, the identity provider generates a SAML assertion and redirects the user back to the service provider with this assertion. 

Assertion Validation: The service provider receives the SAML assertion, validates it (e.g., checking signatures, expiration times), and grants access to the user based on the information in the assertion. 

Adoption and Usage 

SAML 2.0 is widely adopted in both enterprise and consumer-facing applications due to its strong security features and the ability to integrate with diverse systems. It is commonly used for: 

Single Sign-On (SSO): Allowing users to authenticate once and gain access to multiple services. 

Federated Identity Management: Enabling organizations to share authentication data securely across different domains. 

Cloud Service Integration: Facilitating SSO and seamless authentication for cloud-based applications and services. 

SAML Language Examples: 

SAML (Security Assertion Markup Language) is primarily used to exchange authentication and authorization data between parties, typically between an Identity Provider (IdP) and a Service Provider (SP). Below are examples of the key components in SAML: SAML assertions, SAML requests, and SAML responses. 

1. SAML Assertion Example

A SAML Assertion is an XML document that contains statements about a user. Here’s a simplified example of an Authentication Assertion: 

<Assertion xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” ID=”abc123″ IssueInstant=”2024-08-22T10:00:00Z” Version=”2.0″> 
 <Issuer>https://idp.example.com</Issuer> 
 <Subject> 
   <NameID Format=”urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”>user@example.com</NameID> 
   <SubjectConfirmation Method=”urn:oasis:names:tc:SAML:2.0:cm:bearer”> 
     <SubjectConfirmationData NotOnOrAfter=”2024-08-22T10:05:00Z” Recipient=”https://sp.example.com”/> 
   </SubjectConfirmation> 
 </Subject> 
 <Conditions NotBefore=”2024-08-22T09:00:00Z” NotOnOrAfter=”2024-08-22T11:00:00Z”> 
   <AudienceRestriction> 
     <Audience>https://sp.example.com</Audience> 
   </AudienceRestriction> 
 </Conditions> 
 <AuthnStatement AuthnContextClassRef=”urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport” AuthnInstant=”2024-08-22T10:00:00Z”> 
   <AuthnContext> 
     <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef> 
   </AuthnContext> 
 </AuthnStatement> 
</Assertion> 
 

2. SAML Request Example

A SAML Request is an XML message sent by the Service Provider to the Identity Provider, requesting authentication for a user. Here’s an example of an AuthnRequest: 

<AuthnRequest xmlns=”urn:oasis:names:tc:SAML:2.0:protocol” ID=”request123″ Version=”2.0″ IssueInstant=”2024-08-22T09:00:00Z” Destination=”https://idp.example.com/SAML2/SSO/POST” AssertionConsumerServiceURL=”https://sp.example.com/ACS” ProtocolBinding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”> 
 <Issuer>https://sp.example.com</Issuer> 
 <NameIDPolicy Format=”urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” AllowCreate=”true”/> 
 <RequestedAuthnContext Comparison=”exact”> 
   <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef> 
 </RequestedAuthnContext> 
</AuthnRequest> 
 

3. SAML Response Example

A SAML Response is an XML message sent by the Identity Provider to the Service Provider in response to an AuthnRequest. It typically includes a SAML Assertion. Here’s an example of a SAML Response: 

<Response xmlns=”urn:oasis:names:tc:SAML:2.0:protocol” ID=”response123″ Version=”2.0″ IssueInstant=”2024-08-22T10:00:00Z” Destination=”https://sp.example.com/ACS” InResponseTo=”request123″> 
 <Issuer>https://idp.example.com</Issuer> 
 <Status> 
   <StatusCode Value=”urn:oasis:names:tc:SAML:2.0:status:Success”/> 
 </Status> 
 <Assertion xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” ID=”assertion123″ IssueInstant=”2024-08-22T10:00:00Z” Version=”2.0″> 
   <Issuer>https://idp.example.com</Issuer> 
   <Subject> 
     <NameID Format=”urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”>user@example.com</NameID> 
     <SubjectConfirmation Method=”urn:oasis:names:tc:SAML:2.0:cm:bearer”> 
       <SubjectConfirmationData NotOnOrAfter=”2024-08-22T10:05:00Z” Recipient=”https://sp.example.com”/> 
     </SubjectConfirmation> 
   </Subject> 
   <Conditions NotBefore=”2024-08-22T09:00:00Z” NotOnOrAfter=”2024-08-22T11:00:00Z”> 
     <AudienceRestriction> 
       <Audience>https://sp.example.com</Audience> 
     </AudienceRestriction> 
   </Conditions> 
   <AuthnStatement AuthnContextClassRef=”urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport” AuthnInstant=”2024-08-22T10:00:00Z”> 
     <AuthnContext> 
       <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef> 
     </AuthnContext> 
   </AuthnStatement> 
 </Assertion> 
</Response> 
 

Key Points to Note 

• Assertion Element: This contains details about the user and their authentication status. It is signed by the Identity Provider to ensure integrity and authenticity. 

• AuthnRequest Element: This is sent by the Service Provider to request authentication. It specifies parameters such as the destination URL and the types of credentials expected. 

• Response Element: This contains the SAML Assertion in response to the AuthnRequest, indicating whether the authentication was successful and providing the user details if successful. 

These examples illustrate the core components and interactions within a SAML-based SSO scenario, providing a high-level overview of how SAML is used in practice. 

Conclusion 

SAML has become a fundamental technology for secure identity and access management in modern web environments. Its development since 2002 has seen it evolve from a basic standard to a robust, widely adopted framework that supports complex authentication and authorization scenarios across different platforms and services.