Security Assertion Markup Language

SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions).

The SAML Web Browser SSO profile was specified and standardized to promote interoperability.

[2] In practice, SAML SSO is most commonly used for authentication into cloud-based business software.

As in the SAML 2.0 Technical Overview,[4] the terms subject and principal are used interchangeably in this document.

[citation needed] SAML does not specify the method of authentication at the identity provider.

The Organization for the Advancement of Structured Information Standards (OASIS) Security Services Technical Committee (SSTC), which met for the first time in January 2001, was chartered "to define an XML framework for exchanging authentication and authorization information.

"[6] To this end, the following intellectual property was contributed to the SSTC during the first two months of that year: Building on these initial contributions, in November 2002 OASIS announced the Security Assertion Markup Language (SAML) 1.0 specification as an OASIS Standard.

[8] Like its SAML predecessor, Liberty ID-FF proposed a standardized, cross-domain, web-based, single sign-on framework.

In addition, Liberty described a circle of trust where each participating domain is trusted to accurately document the processes used to identify a user, the type of authentication system used, and any policies associated with the resulting authentication credentials.

[9] While Liberty was developing ID-FF, the SSTC began work on a minor upgrade to the SAML standard.

Then, in November of that same year, Liberty contributed ID-FF 1.2 to OASIS, thereby sowing the seeds for the next major version of SAML.

By January 2008, deployments of SAML 2.0 became common in government, higher education, and commercial enterprises worldwide.

A SAML profile is a concrete manifestation of a defined use case using a particular combination of assertions, protocols and bindings.

An authorization decision statement asserts that a principal is permitted to perform action A on resource R given evidence E. The expressiveness of authorization decision statements in SAML is intentionally limited.

Unlike previous versions, SAML 2.0 browser flows begin with a request at the service provider.

In addition to Web Browser SSO, SAML 2.0 introduces numerous new profiles: Aside from the SAML Web Browser SSO Profile, some important third-party profiles of SAML include: The SAML specifications recommend, and in some cases mandate, a variety of security mechanisms: Requirements are often phrased in terms of (mutual) authentication, integrity, and confidentiality, leaving the choice of security mechanism to implementers and deployers.

The primary SAML use case is called Web Browser Single Sign-On (SSO).

In SAML 1.1, the flow begins with a request to the identity provider's inter-site transfer service at step 3.

Indeed, the flow outlined in the previous section is sometimes called the Lightweight Web Browser SSO Profile.

Subsequently, the service provider requests the actual assertion via a back channel.

History of SAML (2002–2005)
SAML Protocol Response
SAML over SOAP over HTTP
Single sign-on using SAML in a Web browser