SAML Web Browser Profile

What is it?

The SAML Web Browser SSO Profile is one of the profiles defined in the SAML specification. As described in my introductory post on SAML, profiles describes how to fulfill a specific use-case using SAML.

In the realm of user authentication using SAML, the Web Browser Profile is very frequently used.

The use-case being described in the Web Browser Profile is how to authenticate a user that is using a web browser.

How does it work?

Below is a description and figure of the flow in the profile. As always when using SAML, things can be done in a number of different ways. In the flow below I describe one common way, using the HTTP-Redirect binding for sending the AuthnRequest and the Artifact binding for sending the SAML Assertion.

Request flow of the SAML web browser profile

The authentication process could be said to involve five steps

  • User tries to get access - The process begins with a not authenticated user trying to get access to a protected part of the application (SP). Some form of filter is put in place to catch the user.
  • The user is redirected to the Identity Provider(IdP) -When the filter detects a user who is not authenticated, the user is sent to the IdP using HTTP-Redirect.
  • The user is authenticated - This step does not involve any interaction with the SP. The IdP has full responsibility for authenticating the user in a secure way.
  • Authenticated user is sent back to the SP - When the authentication is successfully completed the user is sent back to the SP together with a SAML Artifact. The artifact is more or less a pointer to the user information at the IdP. The reason for using this method could be that it is considered to insecure to send the assertion via the browser.
  • Request user information - When the SP receives the artifact it uses a web service at the IdP to exchange the artifact for a SAML Assertion. This is the actual proof of authentication

This is how the federation with SAML web profile works on a low level. This can be good to know when working with identity federation and especially when debugging.

Usually when you set up a identity federation this is done with one of the many application available for this purpose, for example. OpenAM, OpenSAML and Oracle Access Manager.