Understanding Security Assertion Markup Language - SAML

The XML Security Assertion Markup Language (SAML) is a vocabulary of XML that is used to share the information on security assertions. The authentication information needs to be shared across different applications over the network. Otherwise the user is forced to authenticate when they enter a new application.

Imagine the state of the user if he is asked to authenticate on several pages of a web application when he enter a portal and tries to use some of the services that are available in the portal. If you do so the user will hesitate to use that application the second time and they will searching for some other applications that have a single sign-on feature.

Single sign-on is achieved through Security Assertion Markup Language since the authentication information is shared among the different components of a web application. You might come across a portal that has many features.

If you are navigating from one feature to another that are exclusive to that portal the authentication information has to be shared. Otherwise the user will be required to authenticate themselves on different screens. With the use of the SAML the user is required to sign-in at only one place to use all the features of a portal.

The authentication information will be shared with the underlying different systems to achieve this feature. With such proper authentication the user is authorized to access certain information that is secured over the portal. The authentication information is used to control the access of the information over the portal.

Each category of user is allowed to access only certain parts of the portal based on the privilege given to that category. To given an example of this, you can consider a system that allows the managers and the employees to perform different levels of transactions in the system.

For example the HR department staffs are allowed to access information pertaining to the salaries of all the employees and they are the users who are also entitled to view the attendance information of all the employees in an organization.

The employees may have a different level of access. The employees cannot access information that is accessed by the staff of the HR department. Rules for the access control are framed based on the authenticity of the category of the employee.

Once of the important feature of the Security Assertion Markup Language is the general assertion framework that is used to assert the information given and allows the users to use the features of the system during a particular period. Specific audiences are targeted for the different assertions done in the system.

The specifications of Security Assertion Markup Language give the XML vocabulary for authentication and authorization assertions. They define how this assertion information is passed among the different components of the system. It also defines a request response protocol for the assertions.

An XML SOAP binding is also defined in SAML. URNs which are unique identifiers for the mechanisms of authentication and the actions of authorization are also defined in the SAML specifications. Association of digital signatures with the assertions is also done using the SAML.

When a user logs in an assertion is created for that particular user and that authentication information is shared in a specific manner. The time period allowed for performing the actions are also passed on for that particular user. There are many techniques available for establishing the identity of a person.

Passing hardware token and using even biometrics are some of the ways by which the identity of a person is established. SAML has an AuthorizationDecisionStatement that is used to assert the information regarding a request for some access. The end result of that request which is a decision is asserted with some evidence that supports the decision. More information on such statements is available in the SAML specifications in the web.

The format of an assertion might be something like given below:

<Assertion>

<Conditions NotBefore="xxx" NotOnOrAfter="xxx">
<AudienceRestrictionCondition>
<Audience>...</Audience>
</AudienceRestrictionCondition>
</Conditions>

<Advice>
<AssertionIDReference>anID</AssertionIDReference>
<Assertion>...</Assertion>
</Advice>

<AuthenticationStatement AuthenticationMethod="xxx" AuthenticationInstant="xxx">
<Subject>
<NameIdentifier Format="xxx"> </NameIdentifier>
</Subject>
</AuthenticationStatement>

<ds:Signature> </ds:Signature>

</Assertion>

The <Conditions> tag is used to the optional conditions that are used for determining the time validity for access control of a user. There is an <AudienceRestrictionCondition> that is used to identify the members who are allowed to access.

There is an optional <Advice> tag that can be used to have supporting evidences required for the authorization and authentication. The authentication statement tag contains the method used for authentication in the attribute ‘AuthenticationMethod’. A date and time is specified in the AuthenticationInstant attribute.

To identify the person who is authorized to do certain tasks the tag <Subject> has a sub-element <NameIdentifier>. The digital signature that is used for assertion is given in a separate signature tag. You can find more information on the different tags and specifications in the web.