The Security Assertion Markup Language (SAML) standard is a XML token framework for creating, requesting, and exchanging security assertions between software entities on the Web.
This framework specifies how SAML assertions and protocols may be used to provide the following:
- The exchange of identity information in web services security
SAML was developed by the Organization for the Advancement of Structured Information Standards (OASIS).
The Security Assertion Markup Language (SAML) enables cross-platform authentication between Web applications or Web services. When users are authenticated at one site that participates in a single sign-on (SSO) configuration, they are automatically authenticated at other sites in the SSO configuration and do not need to log in separately.
The following steps describe a typical scenario that shows how SAML SSO works.
- A Web user attempts to access a target resource at a site that is configured to accept authentications through SAML assertions. When configuring SAML 1.1, this site is called the destination site. In SAML 2.0, this site is called the Service Provider.
- The Service Provider determines that the user's credentials need to be authenticated by a central site that can generate a SAML assertion for that user. The Service Provider redirects the authentication request to that central site.
- The user logs in to the Identity Provider site, typically via a login web application hosted by that site. The Identity Provider authenticates the user, and generates a SAML assertion. In SAML 1.1, the site that generates the SAML assertion is called the source site. In SAML 2.0, this site is the Identity Provider. In both SAML versions, this site is sometimes called a SAML Authority.
- Information about the SAML assertion provided by the Identity Provider and associated with the user and the desired target is conveyed from the Identity Provider site to the Service Provider site by the protocol exchange.
- Through a sequence of HTTP exchanges, the user browser is transferred to an Assertion Consumer Service (ACS) at the Service Provider site. The WebLogic Server SAML Identity Assertion provider makes up a portion of the ACS.
- The Identity Assertion provider maps the identity contained in the assertion to a Subject in the local security realm. The access policies on the requested target are evaluated to determine whether the user is authorized for that target. If access is authorized, the user authenticated by the Identity Provider site is accepted as an authenticated user by the Service Provider site, thereby achieving Web-based SSO.