The SAML XML.org web site is not longer accepting new posts. Information on this page is preserved for legacy purposes only. For current information on SAML, please see the OASIS Security Services Technical Committee Wiki.
Diff for Profiles2
| Wed, 2007-12-12 22:59 by carolgeyer | Wed, 2007-12-12 23:47 by carolgeyer | ||
|---|---|---|---|
| < previous diff | |||
| Changes to Body | |||
| Line 3 | Line 3 | ||
</p>
| </p>
| ||
<p>
| <p>
| ||
| - | Generally, a profile of SAML defines constraints and/or extensions in support of the usage of SAML for a particular application – the goal being to enhance interoperability by removing some of the flexibility inevitable in a general-use standard. For instance, the Web Browser SSO Profile specifies how SAML authentication assertions are communicated between an identity provider and service provider to enable single sign-on for a browser user.
| + | The core of the SAML specification defines how the SAML requests and responses are<br />
|
| + | transported, however, a number of use cases have been developed that require the formulation of profiles that define how the SAML assertions, protocols and bindings are combined.
| ||
</p>
| </p>
| ||
<p>
| <p>
| ||
| - | The Web SSO Profile details how to use the SAML Authentication Request/Response protocol in conjunction with different combinations of the HTTP Redirect, HTTP POST, HTTP Artifact, and SOAP bindings.
| + | Generally, a profile of SAML defines constraints and/or extensions in
|
| + | support of the usage of SAML for a particular application – the goal
| ||
| + | being to enhance interoperability by removing some of the flexibility
| ||
| + | inevitable in a general-use standard. For instance, the Web Browser SSO
| ||
| + | Profile specifies how SAML authentication assertions are communicated
| ||
| + | between an identity provider and service provider to enable single
| ||
| + | sign-on for a browser user.
| ||
</p>
| </p>
| ||
<p>
| <p>
| ||
| - | Another type of SAML profile is an attribute profile. SAML defines a series of attribute profiles to provide specific rules for interpretation of attributes in SAML attribute assertions. An example is the X.500/LDAP profile, describing how to carry X.500/LDAP attributes within SAML attribute assertions.
| + | SAML Profiles include:
|
| + | </p>
| ||
| + | <p>
| ||
| + | <strong>Web Browser SSO Profile</strong>: Defines how a Web Browser supports SSO, when using<br />
| ||
| + | <AuthnRequest> protocol messages in combination with HTTP Redirect, HTTP POST and<br />
| ||
| + | HTTP Artifact bindings
| ||
| + | </p>
| ||
| + | <p>
| ||
| + | <strong>Enhanced Client and Proxy (ECP) Profile</strong>: Defines how <AuthnRequest> protocol<br />
| ||
| + | messages are used when combined with the Reverse-SOAP binding (PAOS). Designed to<br />
| ||
| + | support mobile devices front-ended by a WAP gateway
| ||
| + | </p>
| ||
| + | <p>
| ||
| + | <strong>Identity Provider Discovery Profile</strong>: Defines how a service provider can discover which<br />
| ||
| + | identity providers a principal is using with the Web Server
| ||
| + | </p>
| ||
| + | <p>
| ||
| + | <strong>Single Logout Profile</strong>: A profile of the SAML Single Logout protocol is defined. Defines how<br />
| ||
| + | SOAP, HTTP Redirect, HTTP POST and HTTP Artifact bindings may be used.
| ||
| + | </p>
| ||
| + | <p>
| ||
| + | <strong>Name Identifier Management Profile</strong>: Defines how the Name Identifier Management protocol<br />
| ||
| + | may be used with SOAP, HTTP Redirect, HTTP POST and HTTP Artifact bindings.
| ||
| + | </p>
| ||
| + | <p>
| ||
| + | <strong>Artifact Resolution Profile</strong>: Defines how the Artifact Resolution protocol uses a synchronous<br />
| ||
| + | binding, for example the SOAP binding.
| ||
| + | </p>
| ||
| + | <p>
| ||
| + | <strong>Assertion Query/Request Profile</strong>: Defines how the SAML query protocols (used for obtaining<br />
| ||
| + | SAML assertions) use a synchronous binding such as the SOAP binding.
| ||
| + | </p>
| ||
| + | <p>
| ||
| + | <strong>Name Identifier Mapping Profile</strong>: Defines how the Name Identifier Mapping protocol uses a<br />
| ||
| + | synchronous binding such as the SOAP binding.
| ||
</p>
| </p>
| ||
<p>
| <p>
| ||
Profiles2
SAML is defined in terms of assertions, protocols, bindings, and profiles.
The core of the SAML specification defines how the SAML requests and responses are
transported, however, a number of use cases have been developed that require the formulation of profiles that define how the SAML assertions, protocols and bindings are combined.
Generally, a profile of SAML defines constraints and/or extensions in support of the usage of SAML for a particular application – the goal being to enhance interoperability by removing some of the flexibility inevitable in a general-use standard. For instance, the Web Browser SSO Profile specifies how SAML authentication assertions are communicated between an identity provider and service provider to enable single sign-on for a browser user.
SAML Profiles include:
Web Browser SSO Profile: Defines how a Web Browser supports SSO, when using
<AuthnRequest> protocol messages in combination with HTTP Redirect, HTTP POST and
HTTP Artifact bindings
Enhanced Client and Proxy (ECP) Profile: Defines how <AuthnRequest> protocol
messages are used when combined with the Reverse-SOAP binding (PAOS). Designed to
support mobile devices front-ended by a WAP gateway
Identity Provider Discovery Profile: Defines how a service provider can discover which
identity providers a principal is using with the Web Server
Single Logout Profile: A profile of the SAML Single Logout protocol is defined. Defines how
SOAP, HTTP Redirect, HTTP POST and HTTP Artifact bindings may be used.
Name Identifier Management Profile: Defines how the Name Identifier Management protocol
may be used with SOAP, HTTP Redirect, HTTP POST and HTTP Artifact bindings.
Artifact Resolution Profile: Defines how the Artifact Resolution protocol uses a synchronous
binding, for example the SOAP binding.
Assertion Query/Request Profile: Defines how the SAML query protocols (used for obtaining
SAML assertions) use a synchronous binding such as the SOAP binding.
Name Identifier Mapping Profile: Defines how the Name Identifier Mapping protocol uses a
synchronous binding such as the SOAP binding.
See also:
- SAML Executive Overview
- SAML Technical Overview
Search
SUBSCRIBE
RECENT CONTENT
- SAML Wiki Knowledgebase
10 years ago - SAML 2.0 with java Sample
10 years ago - Govt Computer News: 'The power of one password'
10 years ago
1 reply - OASIS approves SAML 2.0 Errata
10 years ago
1 reply - IBM Pushes Federated Identity Management
10 years ago
1 reply - VMware Unveils Horizon App Manager
10 years ago
1 reply
