Geeks With Blogs
Pradeep Loganathan Distributed

As web services are increasingly crossing organizational and domain boundaries the problems of representing identity and its associated attributes across these boundaries is becoming more essential.  A system is secure if it knows all its users and all information is secure if the information is intact, non-tampered and can be proven to be confidential.

A payroll processing service may need to further interact with the service implemented by the HR systems and maybe with an external Banking service too. If all these services maintain and manage their own identification, authentication & authorization schemes the concept of secure interoperability would become complex and restrictive. A common way to represent & communicate identity & authorization across systems needed to be established.

SAML is the standard for web services for solving all the above problems.       


SAML is used to represent Identity using XML and this can then be attached to SOAP messages thereby making the identity portable SAML builds on this using other concepts called assertions. These assertions are made by identity providers and are consumed by service providers.


SAML Assertions:

Assertions contain claims or statements about an identity or subject. There are three types of statements


  1. Authentication statements: An authentication statement states that a particular authentication authority has authenticated the subject at a particular instant of time based on a particular authentication process
  2. Authorization decision statements: An authorization statement states that a particular authorization authority has granted or denied permission to the subject to act on a particular resource within a specific period of time.
  3. Attribute statements: An attribute statement provides additional information about an authentication/authorization assertion.


These assertions can be passed around between identity providers and service providers thus ensuring that the user need not provide his credentials to each and every service. The assertions are passed around based on a request response pair and a schema definition.



Authentication Assertion:

An authentication authority authenticates a subject based on a set of credentials and produces an authentication assertion specifying that s subject S was authenticated using an authentication mechanism M during time T.

An authentication assertion contains a element. This element contains the element specififying the authentication method used and the element specifying the instant the subject was authenticated.


An example of an authentication statement is below.



    AuthenticationMethod="urn:oasis:names:tc:SAML: 1.0:am:password"















An authorization authority asserts that a subject S can be granted access of type A to a resource R based on the evidence E.



 MajorVersion="1" MinorVersion="1"

 Issuer="" ...>




   Resource="htts:// ">





Attribute Assertions:

An attribute assertion associates a subject S with additional attributes. Examples of additional attributes in a HR system maybe department name, Manager Name e.t.c




Since SAML is concerned with the making and enforcing decisions based on a set of policies the SAML architecture defines two types of roles namely Policy decision point (PDP) and a Policy enforcement point (PEP). A PDP makes authorization decisions based on the attributes and authentication statements and also based on the policy followed. The PEP is used when an enforcement decision is required. The PEP communicates with the PEP to retrieve the decisions.

Posted on Tuesday, August 8, 2006 7:18 AM WS-Security | Back to top

Copyright © Pradeep Loganathan | Powered by: