data-driven-docs

Selft training repo

---

Project maintained by ggranados Hosted on GitHub Pages — Theme by mattgraham

Security Assertion Markup Language (SAML)

---

Table of Contents

• Security Assertion Markup Language (SAML)
  • Table of Contents
  • How SAML works
    • Parties Involved
    • Authentication Flow
  • SAML Benefits
  • Example
  • Ref. —

SAML, or Security Assertion Markup Language, is an XML-based framework for exchanging authentication and authorization data between parties, primarily for the purpose of single sign-on (SSO) and identity federation. It allows different organizations or systems to share authentication and authorization information without the need for users to log in multiple times when accessing different applications or services.

_{Back to top}

How SAML works

Parties Involved

• Identity Provider (IdP): The entity responsible for authenticating users and generating SAML assertions. It is essentially the “source of truth” for user identities.

• Service Provider (SP): The application or service that users want to access. It relies on the IdP for authentication and user information. Authentication Flow:

_{Back to top}

Authentication Flow

• User Access: The user tries to access a resource on the Service Provider (SP) application.

• SP Redirect: The SP recognizes that the user is not authenticated and redirects them to the IdP with a SAML request. User Authentication: The IdP prompts the user for authentication (e.g., username and password).

• SAML Assertion Generation: Once the user is authenticated, the IdP generates a SAML assertion containing information about the user’s identity, attributes, and the fact that the user has been authenticated. SAML Response: The IdP sends the SAML assertion back to the SP as a SAML response.

• SP Validation: The SP validates the SAML response’s authenticity and checks if the user is authorized to access the requested resource. Access Granted: If the SAML response is valid and the user is authorized, the SP grants the user access to the requested resource without requiring them to log in again. SAML Assertions:

• Authentication Statement: Confirms that the user has been authenticated. Attribute Statement: Provides additional user attributes or claims. Authorization Decision Statement: Indicates whether the user is authorized for a specific resource.

_{Back to top}

SAML Benefits

• Single Sign-On (SSO): Users only need to log in once to access multiple services, improving user experience and security.

• Centralized Identity Management: IdPs control user identities, making it easier to manage access and security policies.

• Cross-Domain Access: SAML enables secure access to resources across different domains or organizations.

• Reduced Password Fatigue: Users don’t need to remember multiple passwords for different applications.

SAML is widely used in enterprise environments, especially when different systems and services need to work together securely and efficiently. It provides a standardized way to establish trust and share authentication and authorization information between parties.

_{Back to top}

Example

Simple example of a SAML assertion in XML format

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_abc123" IssueInstant="2023-08-05T10:00:00Z" Version="2.0">

    <saml:Issuer>https://idpcorp.com</saml:Issuer>

    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">alice@example.com</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="2023-08-05T10:10:00Z"/></saml:SubjectConfirmation>
    </saml:Subject>

    <saml:Conditions NotBefore="2023-08-05T10:00:00Z" NotOnOrAfter="2023-08-05T10:10:00Z">
        <saml:AudienceRestriction>
            <saml:Audience>https://acmeapp.com</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    
    <saml:AuthnStatement AuthnInstant="2023-08-05T10:05:00Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>

</saml:Assertion>

Explanation of the XML elements in the SAML assertion:

• : The root element representing the SAML assertion.
• : Identifies the issuer (Identity Provider) of the SAML assertion.
• : Contains information about the subject of the assertion (the user).
• : Unique identifier for the subject (user) in the specified format.
• : Specifies the method of subject confirmation (how the user was authenticated).
• : Additional data related to subject confirmation.
• : Specifies the conditions under which the assertion is valid.
• : Specifies the intended audience (Service Provider) for the assertion.
• : Contains information about the user's authentication.
• : Provides context about the user's authentication.
• : Indicates the authentication context class reference (authentication method used).

This XML represents a basic SAML assertion that communicates the fact that the user (Alice) has been authenticated by the Identity Provider (https://idpcorp.com) and is authorized to access the Service Provider (https://acmeapp.com). It also includes information about the authentication method used and the validity period of the assertion.

In a real-world scenario, the SAML assertion would be included in the SAML response sent from the Identity Provider to the Service Provider during the authentication process. The SAML response would also include digital signatures and other metadata to ensure security and integrity.

_{Back to top}

---

Ref.

• https://auth0.com/intro-to-iam/what-is-saml
• https://es.wikipedia.org/wiki/Security_Assertion_Markup_Language

---

Get Started | Web Services and API Design

---