– SAML is an API – XML based standard framework.
– SAML token contains the subject / user information. ( XML based token )
– Using SAML tokens identity is established in two different domains ( say hotel domain and car domian ) with just one login.
How SAML token is created ?
– SAML token is created in hotel domain – Hence it has a credential mapper that takes the subject and converts it into SAML token and sends it across to car domain.
– Car domain has to receive the token hence it has an Identity Asserter which maps the received token against the user and authenticates him.
One who generated the SAML token is called the Identity Provider OR Asserting Party OR Source Site.
And the one accepts the token is called the Service Provider OR Relying Party OR Destination Site.
Trust has to be established between them for SAML to work hence details of the Service Provider has to be with the Identity Provider and details Identity Provider has to be with the Service Provider.
SAML can be classified into two types depending on the manner in which requests are obtained.
– IDP initiated ( Identity Provider Initiated )
– SP initiated ( Service Provider initiated )
IDP initiated :
Here request first comes to the Identity Provider and then goes to the Service Provider.
i.e user logs in to the domain where the token is generated and then is passed onto another domain wherein he is automatically logged in.
SP initiated :
Here the user comes to the Service Provider first and hence he has to be sent to the Identity Provider where the token is created and then the token is again consumed by the Service Provider and user is authenticated.
The request that is sent from the SP to IDP is in a separate format called SAML authentication request
Tokens can be received in two ways :
– HTTP based SSO with SAML Browser/POST Profile. ( PUSH method ) – In weblogic
– HTTP based SSO with SAML Browser/Artifact profile. ( PULL method ) – In Weblogic
There are two more profiles that are used in WebServers bases on SOAP :
– WSS and SAML “sender-vouches” profile
– WSS and SAML “holder-of-key” profile
The only difference between the above two is the way we receive the tokens.
POST Profile :
Service provider requests the Identity Provider for a token.
Identity Provider generates a SAML token and then replies back in http POST.
ARTIFACT Profile :
When SP sends a request to IDP for a token.
IDP creates an artifact and sends it to SP.
SP receives the artifact and replies back to the IDP that it has the artifact and requests for a token.
IDP now sends the token to SP.
Lets go in details now..!!
IDP uses the Credential mapper to generate tokens.
Credential Mapper ( CM ) has a service called ITS which is actually responsible for generating tokens.
There is no need to configure ITS it is a service which is taken care internally by CM.
ITS – Inter-site Transfer Service
Along with ITS there is another service on the IDP called ARS ( Assertion Receiver Service ).
ARS is an addressable component that receives SAML assertion that corresponds to an artifact and sends the respective token to SP.
ARS comes into picture only in case of artifact profile.
Artifact – 40bit length. It just like a unique ID for a token.
ACS – Assertion Consumer Service.
At the Service Provider end we have the Identity Asserter to consume the tokens.
The actual consumption of tokens is done by a service in IA called ACS.
What does assertion mean ?
It is a package of information that supplies one or more statements made by SAML authority.
It consists of following information :
– Authentication statements – this consists of information as to when and how a subject was authenticated.
– Attribute statements – It gives specific information about the subject ( eg : subject’s group etc )
– Authorization statements – gives information about what is the subject authorized to do.
Protocols : SAML defines a request/response protocol for obtaining assertions.
Binding : A binding details exactly how the SAML protocol maps onto transport and messaging protocols (HTTP or SOAP).
Profiles : Gives information about the type of binding i.e how to get and send assertions.
Federal Identity : A principal’s identity is said to be federated between a set of providers when there is an agreement between the providers on a set of identifiers and/or attributes to use to refer to the Principal.
Metadata : Metadata defines a way to express and share configuration information between SAML parties.
Now lets configure SAML 1.1 on WLS 🙂
Click on the link below to learn more about configuring SAML 1.1 with Weblogic :