Monday, November 22, 2010

A short introduction to SAML

The past few weeks I’ve been trying to understand how the SAML protocol works. I’m planing to write a couple of posts about SAML in the future so first, here is a short introduction in SAML.

SAML is “an XML framework for exchanging authentication and authorization information.”

So basicly its a big XML schema.

SAML is built up of four main specifikcations.
Assertions, protocols, bindings and profiles.

Assertions, the information
This is the actual information being sent, such as credentials, profile information and authorization decisions.

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="560f83e350ff2cabfa02345ee59153ba" IssueInstant="2010-11-22T14:30:30.728Z" Version="2.0">
  <saml:Issuer>me</saml:Issuer>
  <saml:Subject>
    <saml:NameID>harold_dt</saml:NameID>
  </saml:Subject>
  <saml:AuthnStatement AuthnInstant="2010-11-04T14:04:30Z" SessionIndex="s22428b07e56ce0dbd3f72237ce29c585541db5d01">
    <saml:AuthnContext>
      <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
      </saml:AuthnContextClassRef>
    </saml:AuthnContext>
  </saml:AuthnStatement>
</saml:Assertion>

<saml:Issuer> The entity sending the assertion.
<saml:Subject> The identety the assertioin is about
<saml:NameID> The identeties uniqe identifier
<saml:AuthnStatement> Authenitcation information, here only authentication method, PasswordProtectedTransport. Aka login was don with username and password.
  

Protocol, processing
Is a packaging of the assertions that defines how the assertion should be creates and processed

Binding, the transport
Defines how the messages are transported in a standard communication protocol for example SOAP, ie wrapping an assertion in a SOAP envelope.

<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
  <soap-env:Body>
    <!-- Assertion -->
  </soap-env:Body>
</soap-env:Envelope>

Profiles, putting it together
The profiles define descibes on a higher level how the defferent parts should be used to solve a task. For example the Web browser profile describes how authentications is done from a web browser.

For detailed information on the SAML protocol have a look at http://saml.xml.org/wiki/saml-introduction
Especially http://www.oasis-open.org/committees/download.php/20520/SAMLV2.0-basics-Oct2006.pdf

For the raw specs look here http://saml.xml.org/saml-specifications



In my book, A Guide to OpenSAML i walk trough in detail how to use OpenSAML to implement SAML.
A Guide to OpenSAML V3
Posted by at
Labels: ,

2 comments:

Subscribe to: Post Comments (Atom)