SAML defines a number of request/response protocols. These protocols allow service providers to:
- request or query for an assertion
- ask for a subject to be authenticated
- create and manage name identifier mappings (for federating identities through account linking)
- request a near-simultaneous logout of a collection of related sessions ("single logout")
The protocol is encoded in an XML schema as a set of request-response pairs. The protocols defined are.
Assertion Query and Request Protocol: Defines a set of queries by which existing SAML
assertions may be obtained. The query can be on the basis of a reference, subject or the
Authentication Request Protocol: Defines a <AuthnRequest> message that causes a
<Response> to be returned containing one of more assertions pertaining to a Principal.
Typically the <AuthnRequest> is issued by a Service Provider with the Identity Provider
returning the <Response> message. Used to support the Web Browser SSO Profile.
Artifact Protocol: Provides a mechanism to obtain a previously created assertion by providing a reference. In SAML terms the reference is called an “artifact”. Thus a SAML protocol can refer to an assertion by an artifact, and then when a Service Provider obtains the artifact it can use the artifact Protocol to obtain the actual assertion using this protocol.
Name Identifier Management Protocol: Provides mechanisms to change the value or format
of the name of a Principal. The issuer of the request can be either the Service Provider or the
Identity Provider. The protocol also provides a mechanism to terminate an association of a
name between an Identity Provider and Service Provider.
Single Logout Protocol: Defines a request that allows near-simultaneous logout of all
sessions associated by a Principal. The logout can be directly initiated by the Principal or due
to a session timeout.
Name Identifier Mapping Protocol: Provides a mechanism to enable “account linking”.
Refer to the subsequent sections on Federation.