SAML 2.0 (Security Assertion Markup Language) is the protocol that makes Single single sign on possible: being able to authenticate only once to your home university (Identity Provider) and then login to the applications of all Service Providers without having to type in again a password.. To get an idea how SAML functions, you could download the Firefox plugin SAML tracer. It adds a viewer window, decoding and showing SAML messages.
When a user logs in, this is what basically happensBasically, the procedure is as follows:
- The SP sends a SAML message to the IP, asking to authenticate the user.
- The IP asks the user for a username and password (other ways of authentication can also be used)a password.
- If correct, the IP sends back a SAML authentication response to the SP stating that the user has logged in successfully, together with a proof that the message was sent by the IP.
To have an idea how SAML functions, you could download the Firefox plugin SAML tracer. It adds a viewer window, decoding and showing SAML messages.
Example
Below an example with Google Apps as SP, My University as IP and Alice as studentWe will illustrate this with an example:
...
1. Alice wants to read her mail
...
and goes to a webpage like https://mail.google.com/a/my-university.nl.
...
2. Google Apps generates a SAML request.
3. Google redirects the browser to the IP for authentication
...
, which may look like this (abbreviated):
https://idp.uni.nl/sso?SAMLRequest=fVLLTuswEN0j8Q...c%3D |
Embedded in this redirect message it\\the redirection is a SAML authentication request message. This message is compressed (to save space in the URL) and encoded (because some characters are not allowed in URLs). Aside from the encoding and compression, the SAML message could look like this (simplified):
| Code Block | ||||
|---|---|---|---|---|
| ||||
<AuthnRequest ID="kfcn...lfki" Version="2.0" IssueInstant="2013-02-05T08:28:50Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="google.com" AssertionConsumerServiceURL="https://www.google.com/a/uni.nl/acs" > <Issuer>google.com</Issuer> <NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> </AuthnRequest> |
Simply said this message is: "This is a request from Google. Please authenticate the user
...
and send the result back to Google".
...
4. The IP receives this message and
...
will authenticate Alice by asking her
...
name and password.
5. After successful authentication, Alice's browser is sent back to Google at the AssertionConsumerService URL (step 6). A SAML protocol message is piggybacking along carrying a SAML authentication responsethe IP generates a authentication response.
6. The IP sends sends an encoded SAML response to the browser. Decoded, the message looks like this (simplified)::
| Code Block | ||||
|---|---|---|---|---|
| ||||
<Response |
...
Version="2.0" |
...
IssueInstant="2013-02-05T08:29:00Z" |
...
Destination="https://www.google.com/a/my.uni.nl/acs" |
...
InResponseTo="kfcn...lfki"> |
...
<Issuer>https://idp.uni.nl/</Issuer> |
...
<Status> |
...
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> |
...
</Status> |
...
<Assertion Version="2.0" IssueInstant="2013-02-05T08:29:00Z"> |
...
<Issuer>https://idp.uni.nl/</Issuer> |
...
<Subject> |
...
<NameID>alice</NameID> |
...
<SubjectConfirmation ...> |
...
<SubjectConfirmationData |
...
NotOnOrAfter="2013-02-05T08:34:00Z" |
...
Recipient="https://www.google.com/a/my.uni.nl/acs" |
...
InResponseTo="kfcn...lfki"/> |
...
</SubjectConfirmation> |
...
</Subject> |
...
<Conditions |
...
NotBefore="2013-02-05T08:28:30Z" |
...
NotOnOrAfter="2013-02-05T08:34:00Z"> |
...
</Conditions> |
...
<AuthnStatement |
...
AuthnInstant="2013-02-05T08:29:00Z" |
...
SessionNotOnOrAfter="2013-02-05T16:29:00Z > |
...
</AuthnStatement> |
...
</Assertion> |
...
</Response> |
In essence, it means "This is a message from idp.uni.nl. I have successfully authenticated a user called 'alice'. This message will expire in a couple of minutes".
...