• United States

A logical view of SAML 1.x

Mar 22, 20042 mins
Access ControlNetworking

The Security Assertion Markup Language (SAML) provides a standardized way of passing sign-on and authorization information – via messages called “assertions” – between two federated domains. One domain is the source site authenticating browser-based users and the other is the destination site controlling access to the requested resource.

Functional entities typically found at the source site are:

The principal – The functional entity (often a browser-based client, but it could be a Web service or application) that requests a resource.

Authentication authority – Responsible for ensuring a principal is what it says it is. The authentication authority passes credentials input by the principal to an authenticating service (such as a Lightweight Directory Access Protocol directory or RADIUS server). It then determines if the authentication was successful, and, if so, issues an authentication assertion message vouching for that.

Attribute authority – Responsible for determining what rights the principal has regarding the requested resource. It processes the authentication assertion message, retrieving the principal’s attribute information from a repository (such as a LDAP directory or database) and issuing an assertion message vouching that the principal is entitled to the attributes.

Functional entities typically found at the destination site are:

Policy decision point -This functional entity processes authentication and attribute assertion messages, and evaluates those assertions against policies that are maintained in a repository. It issues authorization decision assertion messages that validate authentications and attributes.

Policy enforcement point – An entity that processes authorization decision assertions and enforces policies. At times, the policy enforcement point can be hosted on an external node.

Resource – An instance of information, services or applications requested by and delivered to principals online, subject to authentication and authorization controls. At times, the resource can be hosted on an external node.