Understanding Security Assertion Markup Language - SAML
XML Security Assertion Markup Language (SAML) is a vocabulary of XML that is used
to share the information on security assertions. The authentication information
needs to be shared across different applications over the network. Otherwise the
user is forced to authenticate when they enter a new application.
the state of the user if he is asked to authenticate on several pages of a web
application when he enter a portal and tries to use some of the services that
are available in the portal. If you do so the user will hesitate to use that application
the second time and they will searching for some other applications that have
a single sign-on feature.
sign-on is achieved through Security Assertion Markup Language since the authentication
information is shared among the different components of a web application. You
might come across a portal that has many features.
If you are navigating
from one feature to another that are exclusive to that portal the authentication
information has to be shared. Otherwise the user will be required to authenticate
themselves on different screens. With the use of the SAML the user is required
to sign-in at only one place to use all the features of a portal.
authentication information will be shared with the underlying different systems
to achieve this feature. With such proper authentication the user is authorized
to access certain information that is secured over the portal. The authentication
information is used to control the access of the information over the portal.
category of user is allowed to access only certain parts of the portal based on
the privilege given to that category. To given an example of this, you can consider
a system that allows the managers and the employees to perform different levels
of transactions in the system.
For example the HR department staffs are
allowed to access information pertaining to the salaries of all the employees
and they are the users who are also entitled to view the attendance information
of all the employees in an organization.
The employees may have a different
level of access. The employees cannot access information that is accessed by the
staff of the HR department. Rules for the access control are framed based on the
authenticity of the category of the employee.
of the important feature of the Security Assertion Markup Language is the general
assertion framework that is used to assert the information given and allows the
users to use the features of the system during a particular period. Specific audiences
are targeted for the different assertions done in the system.
specifications of Security Assertion Markup Language give the XML vocabulary for
authentication and authorization assertions. They define how this assertion information
is passed among the different components of the system. It also defines a request
response protocol for the assertions.
An XML SOAP binding is also defined
in SAML. URNs which are unique identifiers for the mechanisms of authentication
and the actions of authorization are also defined in the SAML specifications.
Association of digital signatures with the assertions is also done using the SAML.
a user logs in an assertion is created for that particular user and that authentication
information is shared in a specific manner. The time period allowed for performing
the actions are also passed on for that particular user. There are many techniques
available for establishing the identity of a person.
token and using even biometrics are some of the ways by which the identity of
a person is established. SAML has an AuthorizationDecisionStatement that is used
to assert the information regarding a request for some access. The end result
of that request which is a decision is asserted with some evidence that supports
the decision. More information on such statements is available in the SAML specifications
in the web.
format of an assertion might be something like given below:
<NameIdentifier Format="xxx"> </NameIdentifier>
<Conditions> tag is used to the optional conditions that are used for determining
the time validity for access control of a user. There is an <AudienceRestrictionCondition>
that is used to identify the members who are allowed to access.
is an optional <Advice> tag that can be used to have supporting evidences
required for the authorization and authentication. The authentication statement
tag contains the method used for authentication in the attribute AuthenticationMethod.
A date and time is specified in the AuthenticationInstant attribute.
identify the person who is authorized to do certain tasks the tag <Subject>
has a sub-element <NameIdentifier>. The digital signature that is used for
assertion is given in a separate signature tag. You can find more information
on the different tags and specifications in the web.
Subscribe to our mailing list and receive new articles
through email. Keep yourself updated with latest
developments in the industry.
: We never rent, trade, or sell my email lists to
We assure that your privacy is respected