SAML is an XML-based language for making security-related assertions about a security principal - some entity (often a human being) having an identity that can be authenticated. SAML also specifies protocols that use the language to perform tasks such as Web browser-based single sign-on (SSO) and data attribute exchange (including for the purposes of authorization).
In November 2002 OASIS announced the Security Assertion Markup Language V1.0 specification as an OASIS Standard. SAML 2.0 was standardized in March of 2005.
SAML is widely implemented - in the identity access and management products of technology vendors including HP, IBM, Microsoft, Novell, Oracle, RSA and Sun Microsystems; in open source tools and products like ZXID, Shibboleth, OpenSSO, and Lasso, and integrated into the products of companies such as Google ("Google Apps For Domains.")
SAML assertions contain statements about a subject. The subject is named with an identifier - such as an email address, or other URI (sometimes even a URL)
<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> firstname.lastname@example.org </saml:NameID> </saml:Subject>
and contains statements about that subject, often one of the following:
<saml:AuthnStatement AuthnInstant="2007-12-01T12:00:00Z" SessionIndex="67775277772"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement>
Says "email@example.com authenticated at 2007-12-01T12:00:00Z using a username and password, via HTTPS"
<saml:AttributeStatement> <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:126.96.36.199" FriendlyName="givenName"> <saml:AttributeValue xsi:type="xs:string">John</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
Says (roughly) "John Doe's given name is 'John'."
Other statement types are supported, and the statement type itself is extensible for those who wish to create statements beyond those specified in SAML.
SAML specifies several protocols for transporting security assertions, binds these protocols to standard messaging formats (such as SOAP, or HTTP POST entity-bodies) and profiles, in detail, their usage to solve common use-cases (such as Web browser-based single sign-on and data attribute exchange).
The most common usage of SAML is for performing Web browser-based single sign-on, where an identity provider makes an authentication statement about a user who has an account with the identity provider to a relying party (known also as a service provider).
In such a scenario, the identity provider may include other statements in the assertion, such as data attribute statements about the user.
SAML can also be used to setup and configure account linking - where both the relying party and the identity provider maintain accounts with the user. For example, an online bookstore wants to store your reading preferences in order to make book recommendations, but accepts assertions from your ISP as to your authenticated status, based on your ISP account. SAML also offers standard ways of establishing these relationships via SAML metadata.
Via authentication context, SAML provides a standard means of representing how a user authenticated.
There are many other uses for SAML - find out more below!