Escolar Documentos
Profissional Documentos
Cultura Documentos
Conformance
Requirements
Assertions
Authentication
and Bindings Profiles Metadata
Context
Protocols
Protocols schema Attribute profile Metadata schema Authentication
schemas context schemas
Assertions schema
Security
Executive Technical
Glossary Errata and Privacy
Overview Overview
Considerations
SAML-docset
142 • Conformance Requirements [SAMLConform] documents the technical requirements for SAML
143 conformance, a status that software vendors typically care about because it is one measure of
144 cross-product compatibility. If you need to make a formal reference to SAML V2.0 from another
145 document, you simply need to point to this one.
146 • Assertions and Protocol [SAMLCore] defines the syntax and semantics for creating XML-
147 encoded assertions to describe authentication, attribute, and authorization information, and for the
148 protocol messages to carry this information between systems. It has associated schemas, one for
149 assertions and one for protocols.
150 • Bindings [SAMLBind] defines how SAML assertions and request-response protocol messages can
151 be exchanged between systems using common underlying communication protocols and
152 frameworks.
153 • Profiles [SAMLProf] defines specific sets of rules for using and restricting SAML's rich and flexible
154 syntax for conveying security information to solve specific business problems (for example, to
155 perform a web SSO exchange). It has several associated small schemas covering syntax aspects of
156 attribute profiles.
157 • Metadata [SAMLMeta] defines how a SAML entity can describe its configuration data (e.g. service
158 endpoint URLs, key material for verifying signatures) in a standard way for consumption by partner
159 entities. It has an associated schema.
160 • Authentication Context [SAMLAuthnCxt] defines a syntax for describing authentication context
161 declarations which describe various authentication mechanisms. It has an associated set of
162 schemas.
163 • Executive Overview [SAMLExecOvr] provides a brief executive-level overview of SAML and its
164 primary benefits. This is a non-normative document.
165 • Technical Overview is the document you are reading.
166 • Glossary [SAMLGloss] normatively defines terms used throughout the SAML specifications.
167 Where possible, terms are aligned with those defined in other security glossaries.
Authenticate
information
1
Identity
Business agreement
2 Access Destination web site:
protected cars.example.co.uk
resource
SSO-usecase
No correlation of John's
activities across these sites
IDFed-usecase
Profiles
Combinations of assertions, protocols,
and bindings to support a defined use case
Bindings
Mappings of SAML protocols
onto standard messaging and Authentication Context
communication protocols
Detailed data on types
and strengths of authentication
Protocols
Requests and responses for
obtaining assertions and doing
identity management Metadata
Configuration data for
identity and service providers
Assertions
Authentication, attribute, and
entitlement information
SAML-concepts
351 Two other SAML concepts are useful for building and deploying a SAML environment:
352 • Metadata defines a way to express and share configuration information between SAML parties. For
353 instance, an entity's supported SAML bindings, operational roles (IDP, SP, etc), identifier
354 information, supporting identity attributes, and key information for encryption and signing can be
384 SAML 2.0 accounts for three different security scenarios by defining three values for the Method attribute
385 of the SubjectConformation element, these are
386 urn:oasis:names:tc:SAML:2.0:cm:holder-of-key
387 urn:oasis:names:tc:SAML:2.0:cm:sender-vouches
388 urn:oasis:names:tc:SAML:2.0:cm:bearer
389 In the holder-of-key model, the relying party will allow any party capable of demonstrating knowledge
390 of specific key information contained with the SubjectConfirmation element's
391 SubjectConfirmationData element to use the assertion (and thereby lay claim to some relationship
392 with the subject within).
393 In the bearer model, the relying party will will allow any party that bears the Assertion (assuming any
394 other constraints are also met) to use the assertion (and thereby lay claim to some relationship with the
395 subject within).
396 In the sender-vouches model, the relying party will use other criteria in determing which parties should
397 be allowed to use the assertion (and thereby lay claim to some relationship with the subject within).
SAML response
Assertion
Assertion
Authentication
statement
Other
statements
SAML-component-nesting
491 Figure 6 shows an XML fragment containing an example assertion with a single authentication statement.
492 Note that the XML text in the figure (and elsewhere in this document) has been formatted for presentation
493 purposes. Specifically, while line breaks and extra spaces are ignored between XML attributes within an
494 XML element tag, when they appear between XML element start/end tags, they technically become part of
495 the element value. They are inserted in the example only for readability.
543 • A single statement can contain multiple attributes. In this example, there are three attributes (starting
544 on lines 2, 10, and 16) within the statement.
545 • Attribute names are qualified with a name format (lines 4, 11, and 17) which indicates how the
546 attribute name is to be interpreted. This example takes advantage of two of the SAML-defined
547 attribute profiles and defines a third custom attribute as well. The first attribute uses the SAML
548 X.500/LDAP Attribute Profile to define a value for the LDAP attribute identified by the OID
549 “2.5.4.42”. This attribute in an LDAP directory has a friendly name of “givenName” and the attribute's
550 value is “John”. The second attribute utilizes the SAML Basic Attribute Profile, refers to an
551 attribute named “LastName” which has the value “Doe”. The name format of the third attribute
552 indicates the name is not of a format defined by SAML, but is rather defined by a third party,
553 SmithCo. Note that the use of private formats and attribute profiles can create significant
554 interoperability issues. See the SAML Profiles specification [SAMLProf] for more information and
555 examples.
556 • The value of an attribute can be defined by simple data types, as on lines 7 and 14, or can be
557 structured XML, as on lines 20 through 22.
SOAP envelope
SOAP header
SOAP body
SAML request
or
SAML response
protocol-SOAP-HTTP
650 In an IdP-initiated scenario, the user is visiting an IdP where they are already authenticated and they click
651 on a link to a partner SP. The IdP builds an assertion representing the user's authentication state at the
652 IdP and sends the user's browser over to the SP's assertion consumer service, which processes the
653 assertion and creates a local security context for the user at the SP. This approach is useful in certain
654 environments, but requires the IdP to be configured with inter-site transfer links to the SP's site.
655 Sometimes a binding-specific field called RelayState is used to coordinate messages and actions of
656 IdPs and SPs, for example, to allow an IdP (with which SSO was initiated) to indicate the URL of a desired
657 resource when communicating with an SP.
658 Figure compares the IdP-initiated and SP-initiated models.
659
Authenticate
when asked
Authenticate
2
1
2 1
Access Attempt
Service
successfully access Service
Provider 3 Provider
Succeed
in attempt
IdP-vs-SP-init
IdP-initiated SP-initiated
Figure 11: Differences in Initiation of Web Browser SSO
660 The second choice to be made when using the SAML profiles centers around which SAML bindings will be
661 used when sending messages back and forth between the IdP and SP. There are many combinations of
662 message flows and bindings that are possible, many of which are discussed in the following subsections.
663 For the web SSO profile, we are mainly concerned with two SAML messages; namely an Authentication
664 Request message sent from an SP to an IdP, and a Response message containing a SAML assertion that
665 is sent from the IdP to the SP (and then, secondarily, with messages related to artifact resolution if that
666 binding is chosen).
667 The SAML Conformance [SAMLConform] and Profiles [SAMLProf] specifications identify the SAML
668 bindings that can legally be used with these two messages. Specifically, an Authentication Request
669 message can be sent from an SP to an IdP using either the HTTP Redirect Binding, HTTP POST Binding,
670 or HTTP Artifact Binding. The Response message can be sent from an IdP to an SP using either the
671 HTTP POST Binding or the HTTP Artifact Binding. For this pair of messages, SAML permits asymmetry in
672 the choice of bindings used. That is, a request can be sent using one binding and the response can be
673 returned using a different binding. The decision of which bindings to use is typically driven by configuration
674 settings at the IdP and SP systems. Factors such as potential message sizes, whether identity information
675 is allowed to transit through the browser, etc. must be considered in the choice of bindings.
676 The following subsections describe the detailed message flows involved in web SSO exchanges for the
677 following use case scenarios:
678 • SP-initiated SSO using a Redirect Binding for the SP-to-IdP <AuthnRequest> message and a POST
679 Binding for the IdP-to-SP <Response> message
680 • SP-initiated SSO using a POST Binding for the <AuthnRequest> message and an Artifact Binding for
681 the <Response> message
682 • IDP-initiated SSO using a POST Binding for the IdP-to-SP <Response> message; no SP-to-IdP
683 <AuthnRequest> message is involved.
Resource
Assertion Single
Access Consumer Sign-On
check Service Service
7 2 5 3
1 6 4
User or UA action
Browser
User or UA action
SSO-SP-redir-POST
712 The query string is encoded using the DEFLATE encoding. The browser processes the redirect
713 response and issues an HTTP GET request to the IdP's Single Sign-On Service with the
714 SAMLRequest query parameter. The local state information (or a reference to it) is also included in the
715 HTTP response encoded in a RelayState query string parameter.
717 3. The Single Sign-On Service determines whether the user has an existing logon security context at the
718 identity provider that meets the default or requested (in the <AuthnRequest>) authentication policy
719 requirements. If not, the IdP interacts with the browser to challenge the user to provide valid
720 credentials.
721 4. The user provides valid credentials and a local logon security context is created for the user at the IdP.
722 5. The IdP Single Sign-On Service builds a SAML assertion representing the user's logon security
723 context. Since a POST binding is going to be used, the assertion is digitally signed and then placed
724 within a SAML <Response> message. The <Response> message is then placed within an HTML
725 FORM as a hidden form control named SAMLResponse. If the IdP received a RelayState value
726 from the SP, it must return it unmodified to the SP in a hidden form control named RelayState. The
727 Single Sign-On Service sends the HTML form back to the browser in the HTTP response. For ease of
728 use purposes, the HTML FORM typically will be accompanied by script code that will automatically post
729 the form to the destination site.
730 <form method="post" action="https://sp.example.com/SAML2/SSO/POST" ...>
731 <input type="hidden" name="SAMLResponse" value="response" />
732 <input type="hidden" name="RelayState" value="token" />
733 ...
734 <input type="submit" value="Submit" />
735 </form>
736 The value of the SAMLResponse parameter is the base64 encoding of the following
737 <samlp:Response> element:
738 <samlp:Response
739 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
740 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
741 ID="identifier_2"
742 InResponseTo="identifier_1"
743 Version="2.0"
744 IssueInstant="2004-12-05T09:22:05Z"
745 Destination="https://sp.example.com/SAML2/SSO/POST">
746 <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
747 <samlp:Status>
748 <samlp:StatusCode
749 Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
750 </samlp:Status>
751 <saml:Assertion
752 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
753 ID="identifier_3"
754 Version="2.0"
755 IssueInstant="2004-12-05T09:22:05Z">
756 <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
757 <!-- a POSTed assertion MUST be signed -->
758 <ds:Signature
759 xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
760 <saml:Subject>
761 <saml:NameID
762 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
763 3f7b3dcf-1674-4ecd-92c8-1544f346baf8
764 </saml:NameID>
765 <saml:SubjectConfirmation
766 Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
767 <saml:SubjectConfirmationData
768 InResponseTo="identifier_1"
769 Recipient="https://sp.example.com/SAML2/SSO/POST"
770 NotOnOrAfter="2004-12-05T09:27:05Z"/>
771 </saml:SubjectConfirmation>
772 </saml:Subject>
773 <saml:Conditions
774 NotBefore="2004-12-05T09:17:05Z"
775 NotOnOrAfter="2004-12-05T09:27:05Z">
776 <saml:AudienceRestriction>
777 <saml:Audience>https://sp.example.com/SAML2</saml:Audience>
778 </saml:AudienceRestriction>
779 </saml:Conditions>
780 <saml:AuthnStatement
781 AuthnInstant="2004-12-05T09:22:00Z"
782 SessionIndex="identifier_3">
791 6. The browser, due either to a user action or execution of an “auto-submit” script, issues an HTTP POST
792 request to send the form to the SP's Assertion Consumer Service.
793 POST /SAML2/SSO/POST HTTP/1.1
794 Host: sp.example.com
795 Content-Type: application/x-www-form-urlencoded
796 Content-Length: nnn
797
798 SAMLResponse=response&RelayState=token
799 where the values of the SAMLResponse and RelayState parameters are taken from the HTML
800 form of Step 5.
801 The service provider's Assertion Consumer Service obtains the <Response> message from the
802 HTML FORM for processing. The digital signature on the SAML assertion must first be validated
803 and then the assertion contents are processed in order to create a local logon security context for
804 the user at the SP. Once this completes, the SP retrieves the local state information indicated by
805 the RelayState data to recall the originally-requested resource URL. It then sends an HTTP
806 redirect response to the browser directing it to access the originally requested resource (not
807 shown).
808 7. An access check is made to establish whether the user has the correct authorization to access the
809 resource. If the access check passes, the resource is then returned to the browser.
838 The RelayState token is an opaque reference to state information maintained at the service
839 provider. The value of the SAMLRequest parameter is the base64 encoding of the following
840 <samlp:AuthnRequest> element:
841 <samlp:AuthnRequest
842 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
843 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
844 ID="identifier_1"
845 Version="2.0"
846 IssueInstant="2004-12-05T09:21:59Z"
847 AssertionConsumerServiceIndex="1">
848 <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
849 <samlp:NameIDPolicy
850 AllowCreate="true"
851 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
852 </samlp:AuthnRequest>
853 The local state information (or a reference to it) may also be included in the form in a hidden form
854 control named RelayState. For ease-of-use purposes, the HTML FORM typically will be
855 accompanied by script code that will automatically post the form to the destination site. The browser,
856 due either to a user action or execution of an “auto-submit” script, issues an HTTP POST request to
857 send the form to the identity provider's Single Sign-On Service. The RelayState mechanism can leak
858 details of the user's activities at the SP to the IdP so care should be taken in its implementation.
859 POST /SAML2/SSO/POST HTTP/1.1
860 Host: idp.example.org
861 Content-Type: application/x-www-form-urlencoded
862 Content-Length: nnn
863
864 SAMLRequest=request&RelayState=token
865 3. The Single Sign-On Service determines whether the user has an existing logon security context at the
866 identity provider that meets the default or requested (in the <AuthnRequest>) authentication policy
867 requirements. If not, the IdP interacts with the browser to challenge the user to provide valid
868 credentials.
869 4. The user provides valid credentials and a local logon security context is created for the user at the IdP.
870 5. The IdP Single Sign-On Service builds a SAML assertion representing the user's logon security context
871 and places the assertion within a SAML <Response> message. Since the HTTP Artifact binding will
872 be used to deliver the SAML Response message, it is not mandated that the assertion be digitally
873 signed. The IdP creates an artifact containing the source ID for the idp.example.org site and a
874 reference to the <Response> message (the MessageHandle). The HTTP Artifact binding allows the
875 choice of either HTTP redirection or an HTML form POST as the mechanism to deliver the artifact to
876 the partner. The figure shows the use of redirection.
877 6. The SP's Assertion Consumer Service now builds and sends a SAML <ArtifactResolve> message
878 containing the artifact to the IdP's Artifact Resolution Service endpoint. This exchange is performed
879 using a synchronous SOAP message exchange.
880 <samlp:ArtifactResolve
881 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
882 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
883 ID="identifier_2"
884 Version="2.0"
885 IssueInstant="2004-12-05T09:22:04Z"
886 Destination="https://idp.example.org/SAML2/ArtifactResolution">
887 <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
888 <!-- an ArtifactResolve message SHOULD be signed -->
889 <ds:Signature
890 xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
891 <samlp:Artifact>artifact</samlp:Artifact>
892 </samlp:ArtifactResolve>
893 7. The IdP's Artifact Resolution Service extracts the MessageHandle from the artifact and locates the
894 original SAML <Response> message associated with it. This message is then placed inside a SAML
895 <ArtifactResponse> message which is returned to the SP over the SOAP channel.
896
964 The SP extracts and processes the <Response> message and then processes the embedded
965 assertion in order to create a local logon security context for the user at the SP. Once this completes,
966 the SP retrieves the local state information indicated by the RelayState data to recall the originally-
967 requested resource URL. It then sends an HTTP redirect response to the browser directing it to access
968 the originally requested resource (not shown).
969 8. An access check is made to establish whether the user has the correct authorization to access the
Resource
Assertion Single
Access
Consumer Sign-On
check
Service Service
7 4 1
Select Challenge
remote for
resource credentials
Signed
POST signed <Response> User
Supply <Response> login
resource in HTML form
5 3 2
User or UA action
Browser
SSO-IdP-POST
Identity
Identity
Provider
Provider
1018 The ECP profile defines a single binding – PAOS (Reverse SOAP). The profile uses SOAP headers and
Resource
Assertion Single
Access Consumer Sign-On
check Service Service
6 2 4
Signed
<Response> <AuthnRequest>
Access in PAOS in SOAP request
resource response
Signed
Supply <AuthnRequest> <Response>
resource in PAOS request in SOAP
response
1 5 3
SSO-ECP-PAOS
<LogoutRequest>
Single (SOAP) Single
3
Logout Logout
Service <LogoutResponse> 4 Service
(SOAP)
6 2 5
Request
global
logout
Logged out
<LogoutRequest>
<LogoutResponse>
(by redirect)
1 (by redirect)
Browser
SLO-SP-init-mult
Resource
Assertion Single
Access Consumer Sign-On
check Service Service
8 2 6 4
Access Pass along signed
resource <Response> Pass along Challenge
about john <AuthnRequest> for credentials
Browser
IDFed-oob
User with local ID john
at both providers
Figure 17: Identity Federation with Out-of-Band Account Linking
1142
Resource
Assertion Single
Access Consumer Sign-On
check Service Service
10 8 2 6 4
User Pass along User
Access signed
resource login Pass login
as jdoe <Response> as john
along
Convey <AuthnRequest>
<AuthnRequest>
Challenge asking for Convey signed Challenge
Supply
resource for credentials; persistent <Response> for
opt-in? pseudonym about 61611 credentials
1 9 7 3 5
Browser
IDFed-persistent-pseud
User with local ID john at airline.example.com
and local ID jdoe at cars.example.co.uk
Figure 18: SP-Initiated Identity Federation with Persistent Pseudonym
1143 The processing is as follows:
1144 1. The user attempts to access a resource on cars.example.co.uk. The user does not have any current
1145 logon session (i.e. security context) on this site, and is unknown to it. The resource that the user
1146 attempted to access is saved as RelayState information.
1147 2. The service provider uses the HTTP Redirect Binding to send the user to the Single Sign-On Service at
1148 the identity provider (airline.example.com). The HTTP redirect includes a SAML <AuthnRequest>
1149 message requesting that the identity provider provide an assertion using a persistent name identifier
1150 for the user. As the service provider desires the IdP have the flexibility to generate a new identifiier for
1151 the user should one not already exist, the SP sets the AllowCreate attribute on the NameIDPolicy
1152 element to 'true”.
1153 3. The user will be challenged to provide valid credentials.
1154 4. The user provides valid credentials identifying himself as john and a local security context is created
Resource
Assertion Single
Access Consumer Sign-On
check Service Service
10 2 6 4
Pass along User
Access signed
resource Pass login
<Response> as john
along
Convey <AuthnRequest>
<AuthnRequest>
asking for Convey signed Challenge
Supply
transient <Response> for
resource
pseudonym about 294723 credentials
1 7 3 5
Browser
IDFed-transient-pseud
User with local ID john at Airline.example.com
Figure 19: SP-Initiated Identity Federation with Transient Pseudonym
1190 The processing is as follows:
1191 1. The user attempts to access a resource on cars.example.co.uk. The user does not have any current
1192 logon session (i.e. security context) on this site, and is unknown to it. The resource that the user
1193 attempted to access is saved as RelayState information.
1194 2. The service provider uses the HTTP Redirect Binding to send the user to the Single Sign-On Service at
1195 the identity provider (airline.example.com). The HTTP redirect includes a SAML <AuthnRequest>
1196 message requesting that the identity provider provide an assertion using a transient name identifier for
1197 the user.
1198 3. The user will be challenged to provide valid credentials at the identity provider.
1199 4. The user provides valid credentials identifying himself as john and a local security context is created
1200 for the user at the IdP.
1201 5. The Single Sign-On Service looks up user john in its identity store and creates a transient name
Identity Identity
store store
Terminate
1 61611 Manage
linking NameID
Service
Affirmative
response 2
IDFed-term
HTTP response
SOAP envelope
SOAP header
wsse:Security
Assertion
Authentication
statement
Other
statements
wsse:SecurityTokenReference
SOAP body
1309 The following sequence of steps typifies the use of SAML assertions with WS-Security.
1310 A SOAP message sender obtains a SAML assertion by means of the SAML Request/Response protocol
1311 or other means. In this example, the assertion contains an attribute statement and a subject with a
1312 confirmation method called Holder of Key [@@turn this into a forward reference to an advanced topic?].
1313 To protect the SOAP message:
1314 1. The sender constructs the SOAP message, including a SOAP header with a WS-Security header.
1315 A SAML assertion is placed within a WS-Security token and included in the security header. The
1316 key referred to by the SAML assertion is used to construct a digital signature over data in the
1317 SOAP message body. Signature information is also included in the security header.
1318 2. The message receiver verifies the digital signature.
1319 3. The information in the SAML assertion is used for purposes such as Access Control and Audit
1320 logging.
1321 Figure 22 illustrates this usage scenario.
1322
Obtain
SAML
assertion
Receiver
3 4
WS-
Security Verify Access
Sender 2
signed signature SAML check
SOAP attribute
message informatio
n
Log
2
5
Collect other
external Obtain
data policies
Request
3
evaluatio
Request n
access, Policy
providing Policy Decision
Requester 1 Enforcement
input in Point (PDP)
SAML Point (PEP)
assertion Return
s 5
decision
Retrieve
resource
as appropriate
Resource