📖 WIPIVERSE

🔍 Currently registered entries: 101,266건

SAML 2.0

SAML 2.0 (Security Assertion Markup Language 2.0) is an open standard XML-based framework for exchanging authentication and authorization data between security domains, particularly between an Identity Provider (IdP) and a Service Provider (SP). It enables web-based cross-domain single sign-on (SSO), meaning a user can log in once to their identity provider and then access multiple service providers without having to re-authenticate.

SAML 2.0 facilitates the transfer of a user's identity, attributes, and authorization rights from the IdP to the SP. This is achieved through the exchange of digitally signed XML documents called "assertions." These assertions contain statements about the user, which the SP uses to grant access to its resources.

Key Components and Concepts:

  • Identity Provider (IdP): The system that authenticates the user and provides the security assertion containing information about their identity and attributes. Examples include Active Directory Federation Services (ADFS), Okta, and Ping Identity.

  • Service Provider (SP): The system that relies on the IdP to authenticate the user and authorize access to its resources. The SP trusts the assertions received from the IdP.

  • Assertion: An XML document containing statements about a subject. Assertions can include authentication statements (proving the user has been authenticated), attribute statements (containing information about the user such as name, email address, or role), and authorization decision statements (indicating whether the user is authorized to access a specific resource).

  • Subject: The entity about which the assertion is made, typically a user.

  • Bindings: Define how SAML messages are transported between the IdP and SP. Common bindings include HTTP Redirect Binding, HTTP POST Binding, and SOAP Binding. The HTTP Redirect Binding is typically used for transferring authentication requests, while the HTTP POST Binding is often used for transferring assertions.

  • Profiles: Define specific workflows for using SAML 2.0, such as the Web Browser SSO Profile, which is commonly used for single sign-on in web applications.

  • Metadata: XML documents that describe the configuration and capabilities of the IdP and SP. Metadata is often exchanged between the IdP and SP to establish trust and ensure interoperability. It contains information such as endpoints, supported bindings, and signing certificates.

Benefits of Using SAML 2.0:

  • Single Sign-On (SSO): Allows users to access multiple applications with a single login.
  • Improved Security: Reduces the number of usernames and passwords users need to manage, and centralizes authentication management.
  • Enhanced User Experience: Simplifies the login process and provides a seamless user experience across different applications.
  • Increased Productivity: Reduces time spent on login procedures and password resets.
  • Federated Identity Management: Enables organizations to securely share identity information with trusted partners.
  • Interoperability: Provides a standardized way for different systems to exchange authentication and authorization data.

Limitations of SAML 2.0:

  • Complexity: Implementing SAML 2.0 can be complex, requiring a good understanding of the standard and its various components.
  • Overhead: The use of XML can result in larger message sizes, which may impact performance.
  • Session Management: While SAML provides authentication, it does not inherently handle session management after the initial login. This is typically handled by the SP.
  • Not Ideal for Mobile: SAML's reliance on browser redirects can be cumbersome for mobile applications. Other protocols like OAuth 2.0 and OpenID Connect are often preferred for mobile scenarios.

© 2024 WIPIVERSE