The SAML XML.org web site is not longer accepting new posts. Information on this page is preserved for legacy purposes only. For current information on SAML, please see the OASIS Security Services Technical Committee Wiki.
Protocols
SAML is defined in terms of assertions, protocols, bindings, and profiles.
SAML defines a number of request/response protocols. These protocols allow service providers to:
- request or query for an assertion
- ask for a subject to be authenticated
- create and manage name identifier mappings (for federating identities through account linking)
- request a near-simultaneous logout of a collection of related sessions ("single logout")
The protocol is encoded in an XML schema as a set of request-response pairs. The protocols defined are.
Assertion Query and Request Protocol: Defines a set of queries by which existing SAML
assertions may be obtained. The query can be on the basis of a reference, subject or the
statement type.
Authentication Request Protocol: Defines a <AuthnRequest> message that causes a
<Response> to be returned containing one of more assertions pertaining to a Principal.
Typically the <AuthnRequest> is issued by a Service Provider with the Identity Provider
returning the <Response> message. Used to support the Web Browser SSO Profile.
Artifact Protocol: Provides a mechanism to obtain a previously created assertion by providing a reference. In SAML terms the reference is called an “artifact”. Thus a SAML protocol can refer to an assertion by an artifact, and then when a Service Provider obtains the artifact it can use the artifact Protocol to obtain the actual assertion using this protocol.
Name Identifier Management Protocol: Provides mechanisms to change the value or format
of the name of a Principal. The issuer of the request can be either the Service Provider or the
Identity Provider. The protocol also provides a mechanism to terminate an association of a
name between an Identity Provider and Service Provider.
Single Logout Protocol: Defines a request that allows near-simultaneous logout of all
sessions associated by a Principal. The logout can be directly initiated by the Principal or due
to a session timeout.
Name Identifier Mapping Protocol: Provides a mechanism to enable “account linking”.
Refer to the subsequent sections on Federation.