Misplaced Pages

#157842

45-468: An important use case that SAML addresses is web-browser single sign-on (SSO). Single sign-on is relatively easy to accomplish within a security domain (using cookies , for example) but extending SSO across security domains is more difficult and resulted in the proliferation of non-interoperable proprietary technologies. The SAML Web Browser SSO profile was specified and standardized to promote interoperability. The SAML specification defines three roles:

90-470: A circle of trust where each participating domain is trusted to accurately document the processes used to identify a user, the type of authentication system used, and any policies associated with the resulting authentication credentials. Other members of the circle of trust could then examine these policies to determine whether to trust such information. While Liberty was developing ID-FF, the SSTC began work on

135-451: A user agent (usually a web browser) to request a web resource protected by a SAML service provider . The service provider, wishing to know the identity of the requesting user, issues an authentication request to a SAML identity provider through the user agent. The resulting protocol flow is depicted in the following diagram. In SAML 1.1, the flow begins with a request to the identity provider's inter-site transfer service at step 3. In

180-604: A defined use case using a particular combination of assertions, protocols and bindings. A SAML assertion contains a packet of security information: Loosely speaking, a relying party interprets an assertion as follows: Assertion A was issued at time t by issuer R regarding subject S provided conditions C are valid. SAML assertions are usually transferred from identity providers to service providers. Assertions contain statements that service providers use to make access-control decisions. Three types of statements are provided by SAML: Authentication statements assert to

225-648: A defined use case. The most important SAML profile is the Web Browser SSO Profile. SAML 1.1 specifies two forms of Web Browser SSO, the Browser/Artifact Profile and the Browser/POST Profile. The latter passes assertions by value whereas Browser/Artifact passes assertions by reference . As a consequence, Browser/Artifact requires a back-channel SAML exchange over SOAP. In SAML 1.1, all flows begin with

270-606: A minor upgrade to the SAML standard. The resulting SAML 1.1 specification was ratified by the SSTC in September 2003. Then, in November of that same year, Liberty contributed ID-FF 1.2 to OASIS , thereby sowing the seeds for the next major version of SAML. In March 2005, SAML 2.0 was announced as an OASIS Standard. SAML 2.0 represents the convergence of Liberty ID-FF and proprietary extensions contributed by

315-431: A request at the identity provider for simplicity. Proprietary extensions to the basic IdP-initiated flow have been proposed (by Shibboleth , for example). The Web Browser SSO Profile was completely refactored for SAML 2.0. Conceptually, SAML 1.1 Browser/Artifact and Browser/POST are special cases of SAML 2.0 Web Browser SSO. The latter is considerably more flexible than its SAML 1.1 counterpart due to

360-531: A section in the menu for deleting cookies. Finer-grained management of cookies usually requires a browser extension . The first web browser, called WorldWideWeb , was created in 1990 by Sir Tim Berners-Lee . He then recruited Nicola Pellow to write the Line Mode Browser , which displayed web pages on dumb terminals . The Mosaic web browser was released in April 1993, and was later credited as

405-896: A sync service and web accessibility features. Common user interface (UI) features: While mobile browsers have similar UI features as desktop versions, the limitations of touch screens require mobile UIs to be simpler. The difference is significant for users accustomed to keyboard shortcuts . The most popular desktop browsers also have sophisticated web development tools . Web browsers are popular targets for hackers , who exploit security holes to steal information, destroy files , and other malicious activities. Browser vendors regularly patch these security holes, so users are strongly encouraged to keep their browser software updated. Other protection measures are antivirus software and being aware of scams . Attribute%E2%80%93value pair A name–value pair , also called an attribute–value pair , key–value pair , or field–value pair ,

450-544: A web browser is to fetch content and display it on the user's device. This process begins when the user inputs a Uniform Resource Locator (URL), such as https://en.wikipedia.org/ , into the browser. Virtually all URLs on the Web start with either http: or https: which means they are retrieved with the Hypertext Transfer Protocol (HTTP). For secure mode (HTTPS), the connection between

495-465: Is Google Chrome , with a 67% global market share on all devices, followed by Safari with 18%. A web browser is not the same thing as a search engine , though the two are often confused. A search engine is a website that provides links to other websites. However, to connect to a website's server and display its web pages, a user must have a web browser installed. In some technical contexts, browsers are referred to as user agents . The purpose of

SECTION 10

#1732783532158

540-418: Is a fundamental data representation in computing systems and applications . Designers often desire an open-ended data structure that allows for future extension without modifying existing code or data. In such situations, all or part of the data model may be expressed as a collection of 2-tuples in the form <attribute name, value> with each element being an attribute–value pair. Depending on

585-582: Is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols. For example, the SAML SOAP binding specifies how a SAML message is encapsulated in a SOAP envelope, which itself is bound to an HTTP message. SAML 1.1 specifies just one binding, the SAML SOAP Binding. In addition to SOAP, implicit in SAML ;1.1 Web Browser SSO are the precursors of

630-401: Is an application for accessing websites . When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on a range of devices, including desktops , laptops , tablets , and smartphones . By 2020, an estimated 4.9 billion people had used a browser. The most-used browser

675-460: Is based on Mozilla 's code. Both of these codebases are open-source, so a number of small niche browsers are also made from them. The most popular browsers share many features in common. They automatically log users' browsing history , unless the users turn off their browsing history or use the non-logging private mode . They also allow users to set bookmarks , customize the browser with extensions , and can manage user passwords . Some provide

720-532: Is simply a name–value pair . Relying parties use attributes to make access-control decisions. An authorization decision statement asserts that a principal is permitted to perform action A on resource R given evidence E . The expressiveness of authorization decision statements in SAML is intentionally limited. More-advanced use cases are encouraged to use XACML instead. A SAML protocol describes how certain SAML elements (including assertions) are packaged within SAML request and response elements, and gives

765-401: Is transmitted, not how (the latter is determined by the choice of binding). So SAML Core defines "bare" SAML assertions along with SAML request and response elements. A SAML binding determines how SAML requests and responses map onto standard messaging or communications protocols. An important (synchronous) binding is the SAML SOAP binding. A SAML profile is a concrete manifestation of

810-500: The Shibboleth project, as well as early versions of SAML itself. Most SAML implementations support v2.0 while many still support v1.1 for backward compatibility. By January 2008, deployments of SAML 2.0 became common in government, higher education, and commercial enterprises worldwide. SAML has undergone one minor and one major revision since 1.0. The Liberty Alliance contributed its Identity Federation Framework (ID-FF) to

855-408: The most popular browser. Microsoft debuted Internet Explorer in 1995, leading to a browser war with Netscape. Within a few years, Microsoft gained a dominant position in the browser market for two reasons: it bundled Internet Explorer with its popular Windows operating system and did so as freeware with no restrictions on usage. The market share of Internet Explorer peaked at over 95% in

900-566: The Advancement of Structured Information Standards (OASIS) Security Services Technical Committee (SSTC), which met for the first time in January 2001, was chartered "to define an XML framework for exchanging authentication and authorization information." To this end, the following intellectual property was contributed to the SSTC during the first two months of that year: Building on these initial contributions, in November 2002 OASIS announced

945-645: The HTTP POST Binding, the HTTP Redirect Binding, and the HTTP Artifact Binding. These are not defined explicitly, however, and are only used in conjunction with SAML 1.1 Web Browser SSO. The notion of binding is not fully developed until SAML 2.0. SAML 2.0 completely separates the binding concept from the underlying profile. In fact, there is a brand new binding specification in SAML 2.0 that defines

SECTION 20

#1732783532158

990-538: The OASIS SSTC in September 2003: Versions 1.0 and 1.1 of SAML are similar even though small differences exist., however, the differences between SAML 2.0 and SAML 1.1 are substantial. Although the two standards address the same use case, SAML 2.0 is incompatible with its predecessor. Although ID-FF 1.2 was contributed to OASIS as the basis of SAML 2.0, there are some important differences between SAML 2.0 and ID-FF 1.2. In particular,

1035-532: The SAML Web Browser SSO Profile, some important third-party profiles of SAML include: The SAML specifications recommend, and in some cases mandate, a variety of security mechanisms: Requirements are often phrased in terms of (mutual) authentication, integrity, and confidentiality, leaving the choice of security mechanism to implementers and deployers. The primary SAML use case is called Web Browser Single Sign-On (SSO) . A user utilizes

1080-505: The SP, the IdP may request some information from the principal—such as a user name and password—in order to authenticate the principal. SAML specifies the content of the assertion that is passed from the IdP to the SP. In SAML, one identity provider may provide SAML assertions to many service providers. Similarly, one SP may rely on and trust assertions from many independent IdPs. SAML does not specify

1125-704: The Security Assertion Markup Language (SAML) 1.0 specification as an OASIS Standard. Meanwhile, the Liberty Alliance , a large consortium of companies, non-profit and government organizations, proposed an extension to the SAML standard called the Liberty Identity Federation Framework (ID-FF). Like its SAML predecessor, Liberty ID-FF proposed a standardized, cross-domain, web-based, single sign-on framework. In addition, Liberty described

1170-481: The actual assertion via a back channel. Such a back-channel exchange is specified as a SOAP message exchange (SAML over SOAP over HTTP). In general, any SAML exchange over a secure back channel is conducted as a SOAP message exchange. On the back channel, SAML specifies the use of SOAP 1.1. The use of SOAP as a binding mechanism is optional, however. Any given SAML deployment will choose whatever bindings are appropriate. Web browser A web browser

1215-513: The basis for many other browsers, including Microsoft Edge , currently in third place with about a 5% share, as well as Samsung Internet and Opera in fifth and sixth places respectively with over 2% market share each. The other two browsers in the top four are made from different codebases . Safari , based on Apple 's WebKit code, is the second most popular web browser and is dominant on Apple devices, resulting in an 18% global share. Firefox , in fourth place, with about 3% market share,

1260-494: The browser and web server is encrypted , providing a secure and private data transfer. Web pages usually contain hyperlinks to other pages and resources. Each link contains a URL, and when it is clicked or tapped , the browser navigates to the new resource. Most browsers use an internal cache of web page resources to improve loading times for subsequent visits to the same page. The cache can store many items, such as large images, so they do not need to be downloaded from

1305-659: The early 2000s. In 1998, Netscape launched what would become the Mozilla Foundation to create a new browser using the open-source software model. This work evolved into the Firefox browser, first released by Mozilla in 2004. Firefox's market share peaked at 32% in 2010. Apple released its Safari browser in 2003; it remains the dominant browser on Apple devices, though it did not become popular elsewhere. Google debuted its Chrome browser in 2008, which steadily took market share from Internet Explorer and became

1350-444: The example flow above, all depicted exchanges are front-channel exchanges , that is, an HTTP user agent (browser) communicates with a SAML entity at each step. In particular, there are no back-channel exchanges or direct communications between the service provider and the identity provider. Front-channel exchanges lead to simple protocol flows where all messages are passed by value using a simple HTTP binding (GET or POST). Indeed,

1395-713: The first web browser to find mainstream popularity. Its innovative graphical user interface made the World Wide Web easy to navigate and thus more accessible to the average person. This, in turn, sparked the Internet boom of the 1990s, when the Web grew at a very rapid rate. The lead developers of Mosaic then founded the Netscape corporation, which released the Mosaic-influenced Netscape Navigator in 1994. Navigator quickly became

Security Assertion Markup Language - Misplaced Pages Continue

1440-503: The flow outlined in the previous section is sometimes called the Lightweight Web Browser SSO Profile . Alternatively, for increased security or privacy, messages may be passed by reference . For example, an identity provider may supply a reference to a SAML assertion (called an artifact ) instead of transmitting the assertion directly through the user agent. Subsequently, the service provider requests

1485-539: The following standalone bindings: This reorganization provides tremendous flexibility: taking just Web Browser SSO alone as an example, a service provider can choose from four bindings (HTTP Redirect, HTTP POST and two flavors of HTTP Artifact), while the identity provider has three binding options (HTTP POST plus two forms of HTTP Artifact), for a total of twelve possible deployments of the SAML 2.0 Web Browser SSO Profile. A SAML profile describes in detail how SAML assertions, protocols, and bindings combine to support

1530-531: The method of authentication at the identity provider. The IdP may use a username and password, or some other form of authentication, including multi-factor authentication . A directory service such as RADIUS , LDAP , or Active Directory that allows users to log in with a user name and password is a typical source of authentication tokens at an identity provider. The popular Internet social networking services also provide identity services that in theory could be used to support SAML exchanges. The Organization for

1575-513: The most popular browser in 2012. Chrome has remained dominant ever since. By 2015, Microsoft replaced Internet Explorer with Edge for the Windows 10 release. Since the early 2000s, browsers have greatly expanded their HTML , CSS , JavaScript , and multimedia capabilities. One reason has been to enable more sophisticated websites, such as web apps . Another factor is the significant increase of broadband connectivity in many parts of

1620-408: The new "plug-and-play" binding design of SAML 2.0. Unlike previous versions, SAML 2.0 browser flows begin with a request at the service provider. This provides greater flexibility, but SP-initiated flows naturally give rise to the so-called Identity Provider Discovery problem, the focus of much research today. In addition to Web Browser SSO, SAML 2.0 introduces numerous new profiles: Aside from

1665-478: The particular application and the implementation chosen by programmers, attribute names may or may not be unique. Some of the applications where information is represented as name-value pairs are: Some computer languages implement name–value pairs, or more frequently collections of attribute–value pairs, as standard language features. Most of these implement the general model of an associative array : an unordered list of unique attributes with associated values. As

1710-437: The principal (typically a human user), the identity provider (IdP) and the service provider (SP). In the primary use case addressed by SAML, the principal requests a service from the service provider. The service provider requests and obtains an authentication assertion from the identity provider. On the basis of this assertion, the service provider can make an access control decision, that is, it can decide whether to perform

1755-406: The processing rules that SAML entities must follow when producing or consuming these elements. For the most part, a SAML protocol is a simple request-response protocol. The most important type of SAML protocol request is called a query . A service provider makes a query directly to an identity provider over a secure back channel. Thus query messages are typically bound to SOAP. Corresponding to

1800-401: The server again. Cached items are usually only stored for as long as the web server stipulates in its HTTP response messages. During the course of browsing, cookies received from various websites are stored by the browser. Some of them contain login credentials or site preferences. However, others are used for tracking user behavior over long periods of time, so browsers typically provide

1845-429: The service for the connected principal. At the heart of the SAML assertion is a subject (a principal within the context of a particular security domain) about which something is being asserted. The subject is usually (but not necessarily) a human. As in the SAML 2.0 Technical Overview, the terms subject and principal are used interchangeably in this document. Before delivering the subject-based assertion from IdP to

Security Assertion Markup Language - Misplaced Pages Continue

1890-402: The service provider that the principal did indeed authenticate with the identity provider at a particular time using a particular method of authentication. Other information about the authenticated principal (called the authentication context ) may be disclosed in an authentication statement. An attribute statement asserts that a principal is associated with certain attributes. An attribute

1935-573: The three types of statements, there are three types of SAML queries: The result of an attribute query is a SAML response containing an assertion, which itself contains an attribute statement. See the SAML 2.0 topic for an example of attribute query/response . Beyond queries, SAML 1.1 specifies no other protocols. SAML 2.0 expands the notion of protocol considerably. The following protocols are described in detail in SAML 2.0 Core: Most of these protocols are new in SAML 2.0 . A SAML binding

1980-419: The two specifications, despite their common roots, are incompatible. SAML is built upon a number of existing standards: SAML defines XML-based assertions and protocols, bindings, and profiles. The term SAML Core refers to the general syntax and semantics of SAML assertions as well as the protocol used to request and transmit those assertions from one system entity to another. SAML protocol refers to what

2025-405: The world, enabling people to access data-intensive content, such as streaming HD video on YouTube , that was not possible during the era of dial-up modems . Google Chrome has been the dominant browser since the mid-2010s and currently has a 67% global market share on all devices. The vast majority of its source code comes from Google's open-source Chromium project; this code is also

#157842