SAML in Simple

Before get to know what is SAML we should have a little idea on federation
Federation
It usually means to control in a centralized way, but in terms of identity management it refers to the establishment of some or all of business agreements, cryptographic trust, and user identifiers or attributes across security and policy domains to enable more seamless cross-domain business interactions. In web services application layers and transport (messaging) layers are loosely coupled, like that federation isolate each domain from the users’ authentication and authorization infrastructure
Key to this loose coupling is standardized mechanisms and formats for the communication of identity information between the domains. The standard provides the insulating buffer. SAML defines just such a standard.
SAML ( Security Assertion Markup Language) is an XML based framework for communicating user authentication, entitlement and attribute information. As its name suggests, SAML allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject (typically human user) to other entities in a secured and safe way.
There are three main roles involved in this process.
Identity Provider (IdP) -issuing identification information and authenticating users by using security tokens
End user — typically you !
Service Provider(SP) — provide resources to an end user
In this flow, the end-user initiates the login process at the SP. The SP will redirect the user to the IdP with a SAML Request (AuthnRequest). The SAML Request will contain the necessary information for the IdP to authenticate the end-user and reply to the SP with the correct SAML Assertion (SAML Response)
SAML’s standards provide a request/response for exchanging XML messages between these roles. The standard specifies four main components: profile, bindings, protocols, and assertions.
Assertion is a package of information that supplies one or more statements made by a SAML authority. SAML defines three different kinds of assertion statement that can be created by a SAML authority: authentication, attribute, and authorization decision.
SAML defines a number of request/response protocols that allow service providers to, for example, request or query for an assertion and request a near-simultaneous logout of a collection of related sessions (“single logout”).
SAML protocol bindings map from SAML request/response message exchanges into standard messaging or communication protocols. For instance, the SAML SOAP Binding defines how SAML protocol messages can be communicated within SOAP messages, whilst the HTTP Redirect binding defines how to pass protocol messages through HTTP redirection.
Profile of SAML defines constraints and/or extensions in support of the usage of SAML for a particular application For instance, the Web Browser SSO Profile specifies how SAML authentication assertions are communicated between an identity provider and service provider to enable single sign-on for a browser user.
Now you can get a clear picture of SAML and how it works.
In Identity Management other than SAML there are some other security protocols are used like OpenID connect, OAuth 2.0 and Passive STS. The main limitation in SAML is it was not originally designed for mobile or native apps. OpenID connect becomes very popular in these days and represents the future of authentication and authorization particularly because it was developed with mobile and native apps in mind although SAML will be with us for a longer time because of its dominant position within the enterprise.
In my upcoming posts I’ll write more about other security protocols and how they distinguish themselves from other protocols.
