Home » Identity & Access » Identity Management

Industry View

SAML and Single Sign-On

How Security Assertion Markup Language can provide inter-organization single sign on.

By Keith McMillan

November 27, 2006 — CSO —

Today's pressures to securely interconnect businesses highlight the need to convey user identity information between organizations in a way that is flexible and reliable. For example, Company A wants to integrate its systems with those of its customers, so that the customers need to provide authentication credentials only once, and then can use both their own company's systems and those of Company A.

The Security Assertion Markup Language (SAML) provides a way to exchange this type of information. A SAML-based solution implemented at Company A would allow the organizations to securely exchange authentication information and integrate Company A with its customers.

And, aside from the obvious convenience to users of having to provide their credentials only once, such a solution offers other advantages, such as:

Allowing customers to retain control over their password strength policies, rather than rely on Company A's policies.

Allowing customers to use stronger authentication if they desire, such as token-based authentication or biometrics.

What Is SAML?

The Security Assertion Markup Language (SAML) is a specification created by the Organization for Advancement of Structured Information Standards (OASIS). The SAML 2.0 specification is the most recent version.

SAML consists of a number of components. At the most primitive level, SAML defines assertions. Assertions are statements of fact, and they are intended to allow systems to exchange information about users, which are referred to as subjects. An assertion is an XML document, and may be digitally signed, encrypted or both, if required. Statements in an assertion can be used to convey identity information, decisions about authorization and other attributes of the subject as needed.

Computer systems, like those owned by Company A and its customers, can exchange SAML assertions using the SAML protocols. These protocols define ways for the systems providing assertions (called asserting parties) and those consuming assertions (called relying parties) to ask and answer questions about a user's identity.

In addition to allowing Company A to ask for and to receive identity information from its client's single sign-on system, SAML defines protocols to manage identities between the two, and to support additional services, such as single logoff, where all systems that are part of a single sign-on session are logged off together.

SAML also defines how to use various communication channels (such as HTTP and SOAP) to carry out the protocols, called bindings. The combination of a set of protocols with a set of bindings creates a profile. The Web Browser Single Sign On (SSO) profile defines how to implement a Web-based single sign-on using SAML.