The Security Assertion Markup Language 2.0 (SAML2) is an open standard and one of the key technologies for federated identity. It enables single sign-on (SSO), which is used to decouple authentication and authorization process from application. It means that a user can use a single credential to access multiple applications. User’s credentials are not stored in these applications, they are stored in trusted attribute authorities, which handle authentication and authorization processes by themselves. SAML2 is used to exchange these authentication and authorization data, called assertions. Assertions are in XML format. One assertion represents a set of information about an identity, made by SAML authority (e.g. SAML server). Assertions are exchanged between identity provider, an entity which is able to verify user’s credentials and service provider, an entity which needs identity provider to verify user’s credentials.
According to this request-reply model, there are 3 kinds of assertions: authentication assertion, attribute assertion and authorization assertion. Authentication assertion serves to assert, that the identity was authenticated by authentication mechanism at a certain time. Attribute assertion serves to assert, that the identity was associated with the specified attributes (name, surname, etc.). Authorization assertion contains a proof, that the identity has been authorized to access specific resource with specific rights.
Groups information can be carried by SAML2 in two ways:
1. Attributes: In this scenario, the group information is carried as SAML attributes as part of the Authentication statement. Many attributes in the commonly used eduPerson schema actually represent groups:
a. eduPersonAffiliation provides a fixed naming scheme for labaling people into groups like student, faculty, member, etc
b. eduPersonEntitlement is used to express roles and rights and may represent groups of people.
c. eduMember IsMemberOf is commonly used to express group memeberships
In addition SAML allows arbitrary attributes to be used to express group membership.
Note that in this scenario the information is only available when a user logs in. This may therefor not serve all use-case.
2. SAML Attribute Query: This protocol provides a back channel for querying attribute- and thus also group- information from an SAML Attribute Authority.
Note that authorisation management between the SAML Attribute Authority and the requestion Services is based on the same mechanisms as between Identity Providers and Service Providers (SAML metadata). This mechanism is rather course, and may therefor not serve all use-cases.
Finally, it should be noted that SAML supports a variety of security mechanisms at transport- and message-level, namely SSL 3.0 or TLS 1.0 for transport-level security and XML Signature and XML Encryption for message-level security.