SAML is an XML based framework that allows for the generation and transmission of security information between parties that know of one another. SAML is needed and used for allowing Web Based SSO outside of the intranet space.
SAML defines several request-response protocols. Each one is identified by the action it is employed for.
This article discusses four SAML protocols:
- Authentication Request Protocol: Gives the Service Provider the ability to request a SAML response on behalf of a user or principal.
- Artifact Resolution Protocol: Allows the Service Provider and Identity provider to communicate directly with each other without a principal involved.
- Single Logout
- Name Identifier Management
AUTHENTICATION REQUEST PROTOCOL
With SAML 1.1 the IdP sent an unsolicited response to a Service Provider (SP) and the SP had no control over initiating the authentication process. With the advent of SAML 2.0 the Service Provider can now initiate the request for authentication via the Authentication Request Protocol.
Authentication Request Protocol – used by a service provider to request the authentication of a user by the IdP.
When a Service Provider wants to acquire a SAML assertion on behalf of a user looking to gain access to a protected resource, the SP sends an Authentication Request or more precisely
This is an example of a complete authentication request:
<samlp:AuthnRequest> element, asks for an assertion from the IdP containing an authentication statement. You can see by the <saml:Issuer> element that this was issued by service provider (https://rp.monopoly.com/SAML2). This request gets delivered to the IdP via the browser. The identity provider authenticates the user that originated the request and issues an authentication response, which is sent back to the service provider (again via the browser).
ARTIFACT RESOLUTION PROTOCOL
A SAML message can be delivered between an IdP and SP either by value or by reference. With the authentication request protocol, the SAML message is considered a value. For the artifact resolution protocol, the message is called an artifact. An artifact reference is resolved by sending a
<samlp:ArtifactResolve> request directly to the entity that issued the artifact. This is when the actual SAML response referenced by the artifact is sent to the receiver.
Here is an example that an IdP may send directly to an SP. The element in question here is <samlp:ArtifactResolve> and is sent directly to the SP and not through the client’s Web Browser.
The service provider will respond with the SAML element referenced by the enclosed artifact
Local sessions are established at an IdP during the SAML login process and a session for each SP the user gains access to be established. With the IdP knowing about all of the sessions that the user has established, when the user logs out of one session, the IdP can use the Single Logout protocol to log the user out of the other sessions automatically. This process is achieved using the <LogoutRequest> and <LogoutResponse> messages.
NAME IDENTIFIER MANAGEMENT
Once the IdP has established the “name identifier” for a principal or user, if need be, it can use the Name Identifier Management protocol to change the value of the identifier or even specify that the identifier will no longer be used. The IdP will use the <ManageNameIDRequest> message to perform this action. An SP can also use this message to change the SPProviderID or stop using a name identifier with the IdP.