*** Welcome to piglix ***

SAML 1.1


Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between security domains. SAML is a product of the OASIS (organization) Security Services Technical Committee.

SAML 1.1 was ratified as an OASIS standard in September 2003. The critical aspects of SAML 1.1 are covered in detail in the official documents SAMLCore and SAMLBind. If you are new to SAML, you should probably read the introductory SAML topic first, and then the SAMLOverview document from OASIS.

Prior to SAML 1.1, SAML 1.0 was adopted as an OASIS standard in November 2002. SAML has undergone one minor (V1.1) and one major revision (V2.0) since V1.0, which itself is a relatively simple protocol. SAML 1.0 is of more than historical interest, however, since the US Federal E-Authentication Initiative has adopted SAML 1.0 as its core technology.

Fortunately, versions 1.0 and 1.1 of SAML are similar. See SAMLDiff for specific differences between the two standards. This article concentrates on SAML 1.1 since it is an important standard upon which many other standards and implementations depend.

Warning: Implementers and deployers should note well that all code examples in this article are non-normative and for illustration purposes only. Consult the OASIS SAML specifications for normative requirements.

SAML assertions contain statements that service providers use to make access control decisions. For instance, authentication statements assert to the service provider that the principal did indeed authenticate with the identity provider at a particular time using a particular method of authentication. Other information about the principal may be disclosed in an authentication statement. For example, in the authentication statement below, the e-mail address of the principal is asserted to the service provider:

An e-mail address (as in the above example) will suffice in a large number of situations. In some cases, however, additional information is needed before a service provider can make an access control decision. As an example, suppose that students are allowed to access scholarships data. An attribute statement can indicate whether or not the principal has an affiliation of "student", which the service provider uses to allow or deny access (resp.) to the scholarships application:


...
Wikipedia

...