Protocols

Wiki page: Submitted by carolgeyer on Wed, 2007-12-12 22:05. Last updated on Wed, 2007-12-12 23:39.

SAML is defined in terms of assertions, protocols, bindings, and profiles.

SAML defines a number of request/response protocols. These protocols allow service providers to:

  • request or query for an assertion
  • ask for a subject to be authenticated
  • create and manage name identifier mappings (for federating identities through account linking)
  • request a near-simultaneous logout of a collection of related sessions ("single logout")

The protocol is encoded in an XML schema as a set of request-response pairs. The protocols defined are.

Assertion Query and Request Protocol: Defines a set of queries by which existing SAML
assertions may be obtained. The query can be on the basis of a reference, subject or the
statement type.

Authentication Request Protocol: Defines a <AuthnRequest> message that causes a
<Response> to be returned containing one of more assertions pertaining to a Principal.
Typically the <AuthnRequest> is issued by a Service Provider with the Identity Provider
returning the <Response> message. Used to support the Web Browser SSO Profile.

Artifact Protocol: Provides a mechanism to obtain a previously created assertion by providing a reference. In SAML terms the reference is called an “artifact”. Thus a SAML protocol can refer to an assertion by an artifact, and then when a Service Provider obtains the artifact it can use the artifact Protocol to obtain the actual assertion using this protocol.

Name Identifier Management Protocol: Provides mechanisms to change the value or format
of the name of a Principal. The issuer of the request can be either the Service Provider or the
Identity Provider. The protocol also provides a mechanism to terminate an association of a
name between an Identity Provider and Service Provider.

Single Logout Protocol: Defines a request that allows near-simultaneous logout of all
sessions associated by a Principal. The logout can be directly initiated by the Principal or due
to a session timeout.

Name Identifier Mapping Protocol: Provides a mechanism to enable “account linking”.
Refer to the subsequent sections on Federation.

 

See also:

- SAML Executive Overview
- SAML Technical Overview