Security Assertion Markup Language
Security Assertion Markup Language (security assertion markup language, abbreviated designation SAML, reading： sam-el) is used by Single Sign-On and ID cooperation by SGML devised as a standard in OASIS mainly . HTTP and SOAP are used for the transmission and reception of the message .
The latest edition as of 2016 is SAML v2.0 devised in March, 2005 .
At the standard of SAML, I define grammar and the semantics about a protocol to transmit these information as a method to perform assertion (assertion, literal translation: an expression) of the certification, an attribute, the authorization of the authority by XML .
Table of contents
The assertion (assertion, literal translation: an expression) was one of the most basic concepts in SAML, and this listed certification information, the attribute of the user, security information such as the authorization of the authority to a user by XML grammar ; . I realize Single Sign-On and the ID cooperation that mentioned above by exchanging assertion between plural entities.
The assertion can describe security information in the form called the statement (statements) for the subject (subject) .
The subject is the entity which some kind of "security domains" (security domain) needs here, and アサート is a done object . Even if the subject is a human being, a company or the computer are all right .
In a statement with following three kinds:
- A certification statement (Authentication statements): Including the information of the places that were performed, for example, the certification time and the certification in the statement that the entity which authenticated a user made .
- An attribute statement (Attribute statements): The statement  about the attribute of the subject. For example, it is the name, age, the sex of the subject, the holder of the gold card .
- An authorization decision statement (Authorization decision statements): A statement  to express that I gave some kind of authority to a subject. Authority  that can buy, for example, the authorization to a specific file and a specific article.
A party and roll
Two following parties affect it with the use case of SAML to a minimum: Receive SAML assertion party (SAML asserting party, a literal translation: the SAML expression person concerned) and assertion to publish assertion; and called the SAML lira Inge party (SAML relying party, a literal translation: the SAML dependence person concerned) using it . The SAML assertion party is called the SAML authority (SAML authority, a literal translation: a person of SAML authority) 
A user is concerned with many use cases more. This user may be SAML assertion party.
The party that it is said with SAML re-kelp grouper star (SAML requester, a literal translation: SAML demander) at the party to require when the party of above-mentioned two and a user or other party demand the transmission of the assertion from other parties, and sends assertion accordingly SAML reply pop called the da (SAML responder, a literal translation: SAML responder) .
The person concerned of SAML carries various rolls (role). For example, when use SAML for Single Sign-On; with the roll called the identity provider and the roll called the service provider .
Use in the Single Sign-On
Single Sign-On is the structure which becomes able to use plural services and application only by a user receiving the certification once.
The site where a user receives the certification first carries the roll called the identity provider (identity provider, IdP) to use SAML in Single Sign-On . I call the security information such as certification information and the login session of the user in the site a security context (security context) .
On the other hand, the site providing service and application on the faith of the certification information of the user in IdP carries the roll called the service provider (service provider, SP) .
When I am going to use service of the SP after a user received the certification in IdP, IdP makes assertion from the security context of the user and sends assertion to the SP .
The following information about the user appears, for example, in assertion :
- It appears in a user list of IdP and the SP
- I was accepted by the certification with IdP
- Attribute (age, sex, a member of the gold card) of the user whom SP needs
The user explained a flow (IdP-initiated flow) to receive the certification in IdP before accessing SP with the use case which I explained at the top, but a flow (SP-initiated flow) to receive the certification from IdP after having accessed SP adversely is more common. Because this is because a user will access SP before receiving the certification from IdP when it accesses a search site and the site of the SP direct from bookmark. Therefore, SAML supports both flows .
Use by the ID cooperation
|The correction of this knob is expected. (August, 2016)|
I refer to saml-tech-overview 3.3 Identity Federation Use Case.
Outside link, references
- "PDF). OASIS Standard. August 10, 2016 reading. 0" (
- "Security Assertion Markup Language (SAML) V2.0 Technical Overview". OASIS. August 10, 2016 reading.
- ^ "What is SAML? - A Word Definition From the Webopedia Computer Dictionary." Webopedia.com. September 21, 2013 reading.
- ^ saml-tech-overview 2.1 Drivers of SAML Adoption
- ^ IT glossary of terms e-words SAML [Security Assertion Markup Language] August 10, 2016 reading
- ^ OASIS Standards August 10, 2016 reading
- ^ saml-core-2.0-os Abstract
- ^ saml-core-2.0-os Abstract
- ^ a b c d e f g saml-tech-overview 4.3 SAML Components
- ^ saml-core-2.0-os Abstract
- ^ a b c d e f saml-tech-overview 3.1 SAML Participants
- ^ a b c d e f g saml-tech-overview 3.2 Web Single Sign-On Use Case
This article is distributed by cc-by-sa or GFDL license in accordance with the provisions of Wikipedia.
In addition, Tranpedia is simply not responsible for any show is only by translating the writings of foreign licenses that are compatible with CC-BY-SA license information.