Computer Security- SAML

Computer Security: SAML

Security Assertion Mark-up Language

General goal:

Instead of authenticating a user directly, only have to validate some user security information

Why?

Allows movement from a single system to a distributed system

Identity Provider (idP):

Will give authentication if sufficient security credentials are met

Service Provider (SP)

Any consumer of the security information provided by an IdP

Example Case

Web user authenticates self on airline website, which has a valid security session running for the user

Rental Company trusts this airline

So Rental Company creates a security session for user based on that fact

Another example: using university credentials to access online databases without having to log in to individual database websites

General working

SAML request and query sent to trusted authority

Trusted authority sends assertions

Relying party or SP produce service request

SAML Architecture

Profile- SAML based implementation such as web client

Binding- how protocol is implemented

Protocol- XML-based and can be implemented on top of anything else

Assertion- package of information that supplies zero or more statements about a subject made by a SAML authority

Example

Image from IBM (https://www.ibm.com/developerworks/websphere/techjournal/1004_chao/1004_chao.html)

Image taken from auth0 (https://auth0.com/blog/how-saml-authentication-works/)

SAML Protocols

Various purposes

Example is request to logout a user from simultaneous sessions

Useful

For further reading, please see

http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html

Note: this is NOT my work!