Security Assertion Markup Language (SAML 2.0)

• XML-based framework that enables exchange of identities/access (authentication and authorization) information in a safe, secure and standard way
• It is used to provide Single Sign-on (SSO) and Single Logout (SLO) between security domains
• enables web-based, cross-domain single sign-on (SSO)
• uses security tokens that contain assertions, which are used to  pass data between a SAML Identity Provider (IdP) and a Service Provider (SP)
• Documents – SAMLCore, SAMLBind, SAMLProf, and SAMLMeta
• SAML specification was developed and is maintained by the Security Services Technical Committee of OASIS.
• SAML 2.0 became an OASIS Standard in March 2005

Why SAML?

• Interoperable – SAML provides a set of interoperable standard interfaces. Standardizing the interfaces between systems allows for faster, cheaper, and more reliable integration

• Platform neutrality. SAML abstracts the security framework away from platform architectures and particular vendor implementations. Making security more independent of application logic is an important tenet of Service-Oriented Architecture.
• Loose coupling of directories. SAML does not require user information to be maintained and synchronized between directories.
• Improved online experience for end users. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. In addition, identity federation (linking of multiple identities) with SAML allows for a better-customized user experience at each service while promoting privacy.
• Reduced administrative costs for service providers. Using SAML to ‘reuse’ a single act of authentication (such as logging in with a username and password) multiple times across multiple services can reduce the cost of maintaining account information.This burden is transferred to the identity provider.
• Risk transference. SAML can act to push responsibility for proper management of identities to the identity provider, which is more often compatible with its business model than that of a service provider.

Roles

Principal

• Requests a service from Service Provider

Identity Provider (IdP)

• Asserting party – Authenticates the identity

Service Provider (SP)

• requests and obtains an authentication assertion from the identity provider

SAML Components

Source

SAML Core

•  general syntax and semantics of SAML assertions (about authN, authZ and attributes) as well as the protocol used to request and transmit those assertions from one system entity to another
• defines “bare” SAML assertions along with SAML request and response elements
• https://www.oasis-open.org/committees/download.php/56776/sstc-saml-core-errata-2.0-wd-07.pdf

SAML Bindings

• How is transmitted?
• Specification [SAMLBind]  provides frameworks for the embedding and transport of SAML protocol messages. In other words, mapping of SAML protocols onto standard messaging and communication protocols
• determines how SAML requests and responses map onto standard messaging or communications protocols
• https://www.oasis-open.org/committees/download.php/56779/sstc-saml-bindings-errata-2.0-wd-06.pdf

SAML SOAP binding

SAML MetaData

• Configuration data for identity and service providers
• SAML Metadata Spec Errata 2.0

SAML Profiles

• Specification [SAMLProf] provides a baseline set of profiles for the use of SAML assertions and protocols to accomplish specific use cases or achieve interoperability when using SAML features
• Combinations of assertions, protocols and bindings to support a defined use case
• concrete manifestation of a defined use case using a particular combination of assertions, protocols and bindings
• https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf

SSO Profiles

Web Browser SSO Profile

Enhanced Client or Proxy (ECP) Profile

Identity Provider Discovery Profile

Single Logout Profile

Name Identifier Management Profile

Artifact Resolution Profile

Assertion Query/Request Profile

Name Identifier Mapping Profile

SAML Attribute Profiles

SAML Assertion

• package of information that supplies zero or more statements made by SAML Authority (asserting party) and received by relying party
• <Subject> – Not necessarily but usually a human about which something is being asserted. subject and principal are used interchangeably sometimes
• 3 types of assertion statements
  1. Authentication – assertion subject was authenticated by particular means at particular time
  2. Attribute – assertion subject is associated with supplied attributes
  3. Authorization Decision – allow assertion subject to access specific resource (grant or deny)

SAML Protocols

• What is transmitted?
• Requests and responses for obtaining assertions and doing identity management

Authentication Context

• Detailed data on types and strengths of authentication

SAMLV2 Design Standards

XML

• SAML exchanges encoded in XML
• Use XML namespaces [XMLNS]
  

  Prefix	XML Namespace
  saml:	urn:oasis:names:tc:SAML:2.0:assertion (Assertion Namespace)
  samlp:	urn:oasis:names:tc:SAML:2.0:protocol (Protocol Namespace)
  ds:	http://www.w3.org/2000/09/xmldsig#
  xenc:	http://www.w3.org/2001/04/xmlenc#
  xs:	http://www.w3.org/2001/XMLSchema
  xsi:	http://www.w3.org/2001/XMLSchemainstance

• Assertions and protocols specified in XML Schema (XSD)
• XML Signature used for digital signatures for message integrity
• XML Encryption provides elements for encrypted

Common XML Elements in SAML

<element name="Assertion" type="saml:AssertionType"/>
<complexType name="AssertionType">
   <sequence>
     <element ref="saml:Issuer"/>
     <element ref="ds:Signature" minOccurs="0"/>
     <element ref="saml:Subject" minOccurs="0"/>
     <element ref="saml:Conditions" minOccurs="0"/>
     <element ref="saml:Advice" minOccurs="0"/>
     <choice minOccurs="0" maxOccurs="unbounded">
       <element ref="saml:Statement"/>
       <element ref="saml:AuthnStatement"/>
       <element ref="saml:AuthzDecisionStatement"/>
       <element ref="saml:AttributeStatement"/>
     </choice>
 </sequence>
 <attribute name="Version" type="string" use="required"/>
 <attribute name="ID" type="ID" use="required"/>
 <attribute name="IssueInstant" type="dateTime" use="required"/>
</complexType>

HTTP

• SAML uses HTTP as communication/transport protocol
• SAML assertions are typically embedded in other structures for transport such as HTTP POST requests or XML encoded SOAP messages

Source: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html

SAML Security

• TLS 1.0+ for transport level
• XML Signature and XML Encryption for message-level security

Terminology

• Assertion Queries
  • To load back assertion from cache
• Attribute Queries
  • Lazy load user claims. Say user is part of 100s of groups. Not a good idea to pass all the attributes in single assertion. This feature can be used to load other information by making back channel call
  • something like /userinfo endpoint in OIDC
• Artifact Resolution
  • Get assertion without browser agent
  • Get artifact from IdP
  • Exchange attributes with artifact with IdP
• RelayState
  • maintains state

Resources

• https://en.wikipedia.org/wiki/SAML_2.0
• https://wiki.oasis-open.org/security/FrontPage
• Legacy http://saml.xml.org/
• SAML XSDs and documents  [XSD – SAML Schema Assertion SAML 2.0]
• XML Signature
• XML Encryption
• http://saml.xml.org/advantages-saml
• SAML Technical Overview