May 28, 2016

SAML2.0 Assertion Query/Request Profile - Introduction

     , , , , , , , , , , , , , , , , , ,  No comments


What is SAML


SAML is the short form of Security Assertion Markup Language. It is a universal standard for authentication request messages and response messages. SAML consist with two profiles

  • Active Profile - Process through web browser using redirects
  • Passive Profile - Process directly using API calls (Mostly in mobile applications)


Use case of SSO with SAML is when a Service Provider (SP) has multiple services (Example Google has Gmail, Google Drive, Keep, Google Doc and etc.) users had to logging several times for that services with different credentials. So it is bad experience. Then service provider had to keep multiple database instances to manage users for multiple services. It is worst design for administrative tasks. Security issues can be occur at service provider’s methodology. So SSO separate user credential information from service provider and add it to a separate server called Identity Provider (IDP).It holds user credentials, user roles on multiple services of particular Service provider and other attributes of user like email, contact no, date of register and etc. Service providers can have multiple IDPs and identity provides can have multiple service providers.
Message Flow


According to the order of initiating authentication process there are two types.
  •          IDP Initiative – client directly contact IDP then SP
  •          SP Initiative – client connect with SP first and redirect to IDP

SAML is better for authentication message passing because it eliminate opportunities to phishing attack, eliminate administrative effort, high level of binding with different entities.

SAML Response is consist with Assertion. This SAML response has two sections
  •  Payload format – Content of the message (receiver, sender, signature, user’s attributes and etc.)
  •  Transport format – Relevant information for message transport (IP addresses, protocols, status)
There are three major components are used for SSO functionality with SAML standard.
1. Client/Principal
2. Service Provider (SP)
3. Identity Provider (IDP)

Information flow of client

Information flow of IDP

Information flow of SP


Assertion is a part of the Response message. We can discuss about Assertion in next tutorial.

0 comments:

Post a Comment

Leave your comment and feedback here for me