Computer System Security – SAML

Computer System Security – SAML

SAML is a policy-based standard that uses XML syntax, developed by OASIS, used to make and require assertions about objects. It is normally used in a distributed multi-domain environment to simplify interactions, in order to grant or request access to some resource.


SAML has several versions:

  • 1.0 (2002)
  • 1.1 (2003)
  • 2.0 (2005)

The version 1.1 provides:
– the message protection with digital signature XML (XML-dsig),
– the browser /artifact profile (token SAML by reference),
– the browser /POST profile (token SAML by value).

The version 2.0 provides:
– no backward compatibility
– maintained message protection with digital signature XML (XML-dsig),
– message encryption (XML-enc): encrypt identifiers, attributes, assertions,
– new transport protocols
– new bindings protocols
– new profiles


Let us see this scenario:

1- A user wants to use a service, provided by a certain Service Provider (SP).
2- Before to access the service an authentication is required and the user decides to authenticate on behalf of a third-party web-site, which represent the Identity Provider (IdP).
3- The user authenticates himself/herself at the IdP, and the IdP releases an assertion for the SP, using a token, saying that the user authenticated successfully.

+ SAML is used to authenticate the user
+ SAML is used to transport the assertion


Let us see this scenario:

1- A user wants to access a resources.
2- A Policy Enforcement Point (PEP) protects this resource and asks the Policy Decision Point (PDP) to grant or negate the access.
3- The PDP response, which is the authorization assertion, is transported using a SAML assertion, with message protection through digital signature (XML-dsig).


Let us see this scenario:

1- A user wants to purchase an item, at a certain vendor web-site.
2- The user asks to an authority, which is known at both parties, to perform authentication and authorization for the purchase, but not always (see 3-)
3- The authority has the purpose to release SAML assertions, and it works not much to perform authentication (the user can be anonymous for the purchase) but better than to perform authorization.


The assertion is:

  • what? a declaration,
  • about what? a fact/resource,
  • for who? a subject.

The types of an assertion are:

  • authentication
  • attributes
  • authorization decision


  1. The SAML assertion is extensible because inherit this capacity from XML.
  2. The SAML assertion contains:
    1. the issuer identifier
    2. the timestamp of the creation (data and time)
    3. the assertion identifier
    4. the subject (name and domain)
    5. some condition under which it is valid
    6. the validity period
    7. some additional information


// To-Do


Tipically, to transport an assertion a protocol element of SAML is used. Let us focus on two types of assertions to distinguish the different role of the protocol element.

If the assertion is of of type response, then the protocol element contains the assertion itself.

If the assertion is of type request, the Relying Party (the consumer) asks for a request to the Asserting Party (the producer). This last one finally releases and send back the assertion for the Relying Party.

Relying Party -> Asserting Party: send the request,
Asserting Party -> Replying Party: reply with response.


To establish a trust relationship it is possible to:

1- adopt direct trust, using push or pull ticket, and a SSL/TLS secure channel;
2- adopt trust through public or shared key, for indirect ticket.


SAML Binding is the set of rules that defines what to transport and how.

In the version 1.0 there was SAML/SOAP-over-HTTP.
In the version 2.0 there is:

  • SAML SOAP binding, for backward compatibility.
  • Reverse SOAP (PAOS) binding.
  • HTTP redirect (GET) binding.
  • HTTP artifact biding.
  • SAML URI binding.

The most used are those HTTP-driven.


A profile defines specifically what exactly has to be done. Possible values are:

  • web browser profile
  • soap profile


Leave a Reply

Your email address will not be published. Required fields are marked *