Skip main navigation

£199.99 £139.99 for one year of Unlimited learning. Offer ends on 28 February 2023 at 23:59 (UTC). T&Cs apply

Find out more

Security Assertion Mark-up Language (SAML)

In this video, you will learn a newer technology called security assertion mark-up language (SAML).
Let’s take a look at some newer technologies now that help and support more modern use of identity and access management. The first of these is the Security Assertion Markup Language, SAML. And this was an open standard developed by OASIS, the OASIS Group. This uses XML and a number of other different technologies. It was created as SAML Version One in 2002 and moved to SAML Version Two in 2005. So SAML used the markup language XML. It remains an open standard, which is fantastic. So we’re not talking about something that’s proprietary here. This is actually released as an implementation that people can adopt. So the vast majority of our software as a service vendor are Cloud vendors, people like Salesforce, Google, Microsoft.
They support SAML by default. So typically, SAML is used to handle enterprise single sign on. So SAML deals with authentication and authorization. When we consume SAML, we most commonly consume it through the use of pre-built connectors. So when we use those connectors provided by Salesforce, Google, Microsoft, whoever, these connectors may use SAML. But we don’t necessarily see how that works under the hood. SAML is very good at handling single sign on across multiple security domains, typically across those kind of SAS, software as a service, type providers. And the SAML specification defines three roles. The principle, and the principal is typically the human user, the user trying to log in, trying to gain access.
And typically, the principle, the user, is asked to provide a user name or some other details.
We have the service provider, sometimes called the relying party. In the primary use case for SAML, the user requests or the principle requests a service from the service provider. And the service provider requests and obtains authentication from the identity provider. So this is how those three parts interrelate. The identity provider could be something like Active Directory, Azure, any of those directory type services, or other user repository. So the different components of SAML, we said that it relates to XML. XML is a markup language, like HTML. So it is typically readable by a human being. We have the Schema. This is the standardized digital format used in the assertion and also in the protocols. We have the XML signature.
This is the digital signature for the authentication. And it also provides a supplementary integrity control for us. We have XML Encryption. SAML Version Two increased the capability of SAML and supports XML encryption. It uses HTTP as the communication protocol. And it does reference a longstanding technology, SOAP - Simple Object Access Protocol. This is a messaging protocol designed to allow for the exchange of structured information. With SAML, we have some components.
We have the assertion: a SAML assertion contains a packet of security information. So typically, this is marked up. We have something, some XML type message, something that you would recognise as an XML type message. We have a SAML binding. This determines how the SAML requests and responses map onto the standard messages or communications protocols. An important binding is that between SAML and the SOAP for the message exchange. We have the SAML Profile. This is the way the implementation occurs for a particular use case. This is it being implemented. This is the combination of the assertion, the protocol, and the binding. So the assertions are usually transferred from the identity provider to the service provider.
The assertion contains the statement that the service providers use to make access control decisions. So we have three types of statement that are provided by SAML. An authentication statement, an attribute statement, and an authorization decision statement. So there, we see authentication and authorization.
For protocols, the SAML protocol describes how SAML, including its assertions, are packaged within the request and its response. So these define the processing rules that any SAML entity should follow. The most common type of SAML protocol is a query. Here, the service provider makes a query directly to the identity provider over the secure channel. So these query messages use SOAP for the message exchange. We mentioned briefly the difference between SAML Version One and SAML Version Two. SAML Version One did not support encryption. It relied on somebody implementing encryption separately. SAML Version Two did introduce encryption. And for that reason, it is not backwards compatible with SAML Version One. There are many other differences between SAML Version One and Version Two.
But the biggest of those is the XML encryption for the name identifiers, for the attributes, and for the assertions. So a significant change. So the SAML process we see here summarized on the screen. We have the client in the middle, who attempts to access the service provider. The service provider will redirect the client to the IdP. The client requests single sign on via the IdP. The IdP will make an authentication response to the client. And that’s typically a URL again that redirects the client to the service provider. And the client passes the authentication response from the IdP onto the service provider. So here, the user browser talks directly to the IdP and the service provider.
There’s no need for direct communication between the SP and the IdP. OK this concludes the first part of our section on technology within identity and access management. In our next session, we will look at open authorization, at open ID connect, and some of the other technologies that relate to identity and access management. I hope you’ve enjoyed the session and I look forward to seeing you next time. Thank you.

In this video, you will learn about a newer technology called security assertion mark-up language (SAML).

SAML is an open standard developed by OASIS Group and uses XML. It handles authentication and authorization, typically in the form of enterprise SSO. It contains the following roles:

  • principle
  • IdP
  • service provider

Reflect and share: If you are using the SAML process, what has your experience been like? What are some challenges you have experienced? If you aren’t using SAML, but would like to, explain why and how this process will benefit your context. Share with your fellow learners.

This article is from the free online

Cyber Security Foundations: Reinforcing Identity and Access Management

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education