SAML explained

The past few weeks I’ve been trying to understand how the SAML protocol works. I’m planing to write a couple of posts about SAML in the future so first, here is a short introduction in SAML.

SAML is “an XML framework for exchanging authentication and authorization information.”

So basically its a big XML schema.

SAML is built up of four main specifications. Assertions, protocols, bindings and profiles.

Assertions, the information

This is the actual information being sent, such as credentials, profile information and authorization decisions.

 1<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="560f83e350ff2cabfa02345ee59153ba" IssueInstant="2010-11-22T14:30:30.728Z" Version="2.0">
 2  <saml:Issuer>me</saml:Issuer>
 3  <saml:Subject>
 4    <saml:NameID>harold_dt</saml:NameID>
 5  </saml:Subject>
 6  <saml:AuthnStatement AuthnInstant="2010-11-04T14:04:30Z" SessionIndex="s22428b07e56ce0dbd3f72237ce29c585541db5d01">
 7    <saml:AuthnContext>
 8      <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
 9      </saml:AuthnContextClassRef>
10    </saml:AuthnContext>
11  </saml:AuthnStatement>
12</saml:Assertion>

<saml:Issuer> The entity sending the assertion. <saml:Subject> The identity the assertion is about <saml:NameID> The identities unique identifier <saml:AuthnStatement> Authentication information, here only authentication method, PasswordProtectedTransport. Aka login was don with username and password.

Protocol, processing

Is a packaging of the assertions that defines how the assertion should be creates and processed

Binding, the transport

Defines how the messages are transported in a standard communication protocol for example SOAP, ie wrapping an assertion in a SOAP envelope.

1<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
2  <soap-env:Body>
3    <!-- Assertion -->
4  </soap-env:Body>
5</soap-env:Envelope>

Profiles, putting it together

The profiles define describes on a higher level how the different parts should be used to solve a task. For example the Web browser profile describes how authentications is done from a web browser.

For detailed information on the SAML protocol have a look at the different documents from OASIS here

The management and technical overviews are good next steps
Management Overview
Technical Overview

To really dig in deep have a look at the raw SAML specs here