The past few weeks I’ve been trying to understand how the SAML protocol works. I’m planing to write a couple of posts about SAML in the future so first, here is a short introduction in SAML.
SAML is “an XML framework for exchanging authentication and authorization information.”
So basically its a big XML schema.
SAML is built up of four main specifications. Assertions, protocols, bindings and profiles.
Assertions, the information
This is the actual information being sent, such as credentials, profile information and authorization decisions.
1<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="560f83e350ff2cabfa02345ee59153ba" IssueInstant="2010-11-22T14:30:30.728Z" Version="2.0"> 2 <saml:Issuer>me</saml:Issuer> 3 <saml:Subject> 4 <saml:NameID>harold_dt</saml:NameID> 5 </saml:Subject> 6 <saml:AuthnStatement AuthnInstant="2010-11-04T14:04:30Z" SessionIndex="s22428b07e56ce0dbd3f72237ce29c585541db5d01"> 7 <saml:AuthnContext> 8 <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport 9 </saml:AuthnContextClassRef> 10 </saml:AuthnContext> 11 </saml:AuthnStatement> 12</saml:Assertion>
<saml:Issuer> The entity sending the assertion.
<saml:Subject> The identity the assertion is about
<saml:NameID> The identities unique identifier
<saml:AuthnStatement> Authentication information, here only authentication method, PasswordProtectedTransport. Aka login was don with username and password.
Is a packaging of the assertions that defines how the assertion should be creates and processed
Binding, the transport
Defines how the messages are transported in a standard communication protocol for example SOAP, ie wrapping an assertion in a SOAP envelope.
1<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"> 2 <soap-env:Body> 3 <!-- Assertion --> 4 </soap-env:Body> 5</soap-env:Envelope>
Profiles, putting it together
The profiles define describes on a higher level how the different parts should be used to solve a task. For example the Web browser profile describes how authentications is done from a web browser.
For detailed information on the SAML protocol have a look at the different documents from OASIS here
To really dig in deep have a look at the raw SAML specs here