The animated TECHTip tutorial available here.

SAML [Security Assertions Markup Language] is an XML [eXtensible Markup Language] extension designed to exchange security information in the form of assertions about subjects. The subject is an entity (person, device, or computer) with an identity in the security domain and needs access to a protected resource.

Three types of Assertions provide information about the subject:

1. An Authentication Assertion indicates precisely how and when the entity’s identity was proved/provided.

2. An Attribute Assertion provides other information about the entity, such as its role in the transaction or membership in a group.
3. An Authorization Assertion declares that the entity is (or is not) authorized to access specific resources. Assertions are issued by server-based applications known as SAML authorities. For domains (organizations) to share security information through SAML, they must have a preexisting agreement.

Here are the SAML processes. The entity can reuse the token for further requests without reauthenticating, whether within the same domain or within another domain. SAML provides a SSO [Single Sign-On], which allows users can go from one secure site to another without signing on (login) again. This concept applies to application that uses numerous Web services has to provide authentication only once, rather than once for each interaction.

SAML does not directly provide message integrity or confidentiality; it relies on an XML signature to protect integrity and on SSL [Secure Sockets Layer] and TLS [Transport Layer Security] for confidentiality. According to various sources, SAML and WS [Web Services] Security provide significantly different models for Web services security. SAML relies on slower SSL and TLS to protect confidentiality, while WS-Security uses XML Encryption. Though simplified access with an SSO, SAML requires a substantial infrastructure of trusted authorities and business agreements. WS-Security must be used to protect every individual SOAP (more follows) exchange. See TECHtionary SSL, Digital Certificates for more. The SAML assertions are bound into the SOAP document’s header to secure the body of the message. The token is digitally signed using XML Signature and authenticated using one of several techniques, including an X.509 certificate or Kerberos ticket. SOAP [Simple Open Access Protocol] defines how to package/format a database request (OLAP [On-Line Analytical Processing]) as an XML string (bits of data) that can be transported via HTTP [Hyper-Text Transfer Protocol] (Layer 5-7). SOAP sends the data via Applications Layer 5-7 HTTP via Transport Layer 4 TCP [Transmission Control Protocol] over Network-Layer 3 IP [Internet Protocol] and over various Datalink-Layer 2 protocols as Frame Relay, ATM [Asynchronous Transfer Mode], Ethernet and Physical Layer 1 protocols such as SONET [Synchronous Optical NETworks], Wi-Fi, etc.

TECHtionary Corporation, founded in 2001 and headquartered in Boulder, Colorado, is the world’s first and largest animated (rich media) library/magazine on technology. Get the analyses and more than 2,603+ free tutorials on data, Internet, wireless, VoIP (Internet telephony), PBX systems, central office switching, protocols, telephony, telecommunications, networking, routing, power systems, broadband, Wi-Fi, and other technologies. TECHtionary.com provides “just enough - just in time” critical success information. TECHtionary produces Web infomercials proven to “increase revenues, decrease customer support costs, and increase customer satisfaction.”