SAML
SAML Assertion/SAML Protocol/SAML Binding/SAML Profile
SAML Assertion
SAML Assertion Statement
- Authentication Statement
- Attribute Statement
- Authorization Statement
A SAML protocol describes how certain SAML elements (including assertions) are packaged within SAML request and response elements, and gives the processing rules that SAML entities must follow when producing or consuming these elements. For the most part, a SAML protocol is a simple request-response protocol.
Corresponding to the three types of statements, there are three types of SAML queries:
- Authentication query
- Attribute query
- Authorization decision query
Of these, the attribute query is perhaps the most important. The result of an attribute query is a SAML response containing an assertion, which itself contains an attribute statement.
SAML 2.0 protocols
SAML 2.0 expands the notion of protocol considerably. The following protocols are described in detail in SAML 2.0 Core:
- Assertion Query and Request Protocol
- Authentication Request Protocol
- Artifact Resolution Protocol
- Name Identifier Management Protocol
- Single Logout Protocol
- Name Identifier Mapping Protocol
SAML bindings
A SAML binding is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols. For example, the SAML SOAP binding specifies how a SAML message is encapsulated in a SOAP envelope, which itself is bound to an HTTP message.
SAML 2.0 bindings
SAML 2.0 completely separates the binding concept from the underlying profile. In fact, there is a brand new binding specification in SAML 2.0 that defines the following standalone bindings:
- SAML SOAP Binding (based on SOAP 1.1)
- Reverse SOAP (PAOS) Binding
- HTTP Redirect (GET) Binding
- HTTP POST Binding
- HTTP Artifact Binding
- SAML URI Binding
SAML Profile
A SAML profile describes in detail how SAML assertions, protocols and bindings combine to support a defined use case. The most important SAML profile is SAML Web SSO Profile.
SAML 2.0 Profiles
- SSO Profiles
- Web Browser SSO Profile
- Enhanced Client or Proxy (ECP) Profile
- Identity Provider Discovery Profile
- Single Logout Profile
- Name Identifier Management Profile
- Artifact Resolution Profile
- Assertion Query/Request Profile
- Name Identifier Mapping Profile
- SAML Attribute Profiles