Tech Primer

Security Assertion Markup Language

What is Security Assertion Markup Language (SAML)?

SAML is an XML-based framework for exchange of security information developed by the Organisation for the Advancement of Structured Information Standards (OASIS). It has been designed for both B2B and B2C transactions. It has three basic components: assertions, protocol and binding. Assertions constitute components such as authentication, attributes and authorisation. User identity is validated through authentication, while specific information about the user is covered under attributes. The authorisation component analyses what the user is authorised to do. The protocol explains how SAML asks for and receives the assertions. Finally, binding defines how the SAML framework is mapped to different technologies.

How does it work?

A SAML assertion transfers security information between an assertion authority and a relaying party by using the header in a SOAP message. For example, when users log-in at a site, a SAML assertion transfers the user authentication information, and the transferred token provides authentication to a remote site. Authentication token as well as user character can be included in the SAML package, which can be tested against the rules engine for authorisation and access control. It’s important to note that SAML doesn’t perform authentication by itself; it transports the authentication information. Accordingly, SAML can use different authentication authorities such as LDAP and Active Directory in combination with different identification methods such as passwords, biometric technologies or Public Key Infrastructure technologies.

What are the benefits of SAML?

SAML attempts to reduce the cost of building and operating information systems that inter-operate between many service providers. For example, using SAML, on a travel Web site, a user will not have to authenticate himself more than once for interacting with different entities such as booking airline tickets or booking a hotel room. SAML shows developers how to represent users, identifies what data needs to be transferred, and defines the process for sending and receiving data. SAML also addresses the limitations of browser cookies. Most single sign-on products use browser cookies so that re-authentication is not needed. In the case of SAML, browser cookies are not transferred between domains.

How is SAML different from other security services?

Other security approaches use a central certificate authority to issue certificates that guarantee secure communication from one point to another within a network. With SAML, any point in the network can assert that it knows the identity of a user or piece of data. It is up to the receiving application to accept if it trusts the assertion.

Which commercial products support SAML?

Commercial products such as IBM Tivoli Access Manager, SunONE Identity Server, RSA Security ClearTrust and VeriSign Trust Integration Toolkit support SAML.

Are there security risks associated with this technology?

SAML has three well-understood potential security attacks: Replay attack, which occurs when a hacker hijacks a SAML token and replays it to gain illicit access. The other risk is through DNS spoofing when a hacker intercepts a SAML token and sends a false DNS address. Another risk is through HTTP Referrer Attack by which a hacker tries to re-use an HTTP referrer tag.

What’s new?

OASIS recently ratified the SAML Version 2.0, formalising a key standard for federated security. This version adds features such as account linking, global log-out and attribute exchange. Organisations such as BEA Systems, IBM, Oracle, SAP and Sun Microsystems have announced support for SAML 2.0.

For more information visit:www.oasis-open.org/committees/tc_home.php?wg_abbrev=security