SAML

SAML2 Profiles

WSO2 Identity Server support most of the SAML2 profiles.

1. Web Browser SSO Profile

Description : In a Single Sign On (SSO) system there are two roles; Service Providers and Identity Providers. The important characteristic of a single sign on system is the pre-defined trust relationship between the service providers and the identity providers. Service providers trust the assertions issued by the identity providers and the identity providers issue assertions based on the results of authentication and authorization of the those who try to access services of the service provider.

The SAML 2.0 web browser-based single-sign-on profile is defined under the SAML 2.0 Profiles specification. In a web browser-based SSO system, the flow can be started by the user either by attempting to access a service at the service provider, or by directly accessing the identity provider itself.

Public References

https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

Section 4.1 - Web Browser SSO Profile

WSO2 References

Other References

2. Single Logout Profile

Description

Once a principal has authenticated to an identity provider, the authenticating entity may establish a session with the principal (typically by means of a cookie, URL rewriting, or some other implementation specific means). The identity provider may subsequently issue assertions to service providers or other relying parties, based on this authentication event; a relying party may use this to establish its own session with the principal.

In such a situation, the identity provider can act as a session authority and the relying parties as session participants. At some later time, the principal may wish to terminate his or her session either with an individual session participant, or with all session participants in a given session managed by the session authority. The former case is considered out of scope of this specification. The latter case, however, may be satisfied using this profile of the SAML Single Logout protocol.

Public References

https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

Section 4.4 - Single Logout Profile

https://www.oasis-open.org/committees/download.php/7473/sstc-saml-core-2.0-draft-15-diff.pdf

Section 3.7 - Single Logout Protocol

WSO2 References

3. Basic Attribute Profile

Description

The Basic attribute profile specifies simplified, but non-unique, naming of SAML attributes together with attribute values based on the built-in XML Schema data types, eliminating the need for extension schema to validate syntax.

Public References:

https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

Section 8.1 - Basic Attribute Profile

WSO2 References

4. Metadata profile

Description

SAML profiles require agreements between system entities regarding identifiers, binding support and endpoints, certificates and keys, and so forth. A metadata specification is useful for describing this information in a standardized way. This document defines an extensible metadata format for SAML system entities, organized by roles that reflect SAML profiles. Such roles include that of Identity Provider, Service Provider, Affiliation, Attribute Authority, Attribute Consumer, and Policy Decision Point.

Public References:

https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf

WSO2 References :

5. Assertion query / request profile

Description

SAMLCore defines a protocol for requesting existing assertions by reference or by querying on the basis of a subject and additional statement-specific criteria. This profile describes the use of this protocol with a synchronous binding, such as the SOAP binding defined in SAML Bind.

Public References

https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf

Section 6 - Assertion Query/Request Profile.

WSO2 References :

6. WS Trust

Description

WS-Security defines the basic mechanisms for providing secure messaging. This specification uses these base mechanisms and defines additional primitives and extensions for security token exchange to enable the issuance and dissemination of credentials within different trust domains.

In order to secure a communication between two parties, the two parties must exchange security credentials (either directly or indirectly). However, each party needs to determine if they can "trust" the asserted credentials of the other party.

In this specification we define extensions to [WS-Security] that provide:

  • Methods for issuing, renewing, and validating security tokens.

  • Ways to establish assess the presence of, and broker trust relationships.

Using these extensions, applications can engage in secure communication designed to work with the general Web services framework, including WSDL service descriptions, UDDI business Services and binding Templates, and [SOAP] [SOAP2] messages.

To achieve this, this specification introduces a number of elements that are used to request security tokens and broker trust relationships.

Public References

WSO2 References

PreviousSpecificationsNextOAuth2

Last updated