Security Assertion Markup Language (SAML)

An XML-based open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider (IdP) and a service provider (SP).

SAML enables single sing-on (SSO), which means that a user can authenticate once with an identity provider and then access multiple service providers without needing to authenticate again. This can simplify the user experience and improve security by reducing the number of credentials that need to be managed.

SAML assertions, pieces of data exchanged during authentication, contain information about a user’s identity, authentication status, and authorized access rights, among other things. Assertions are digitally signed to ensure their integrity and can be encrypted to protect their confidentiality.

TIP: You can use SAML-tracer extension for Firefox/Chrome to look at SAML authentication requests and responses. Log in to inet.muni.cz – it’s currently configured to not encrypt any SAML data.

Technically, IdPs and SPs must run the necessary software (e.g. Shibboleth or SimpleSAMLphp) and publish the necessary SAML metadata (e.g. URLs for communication, public keys, logo images). Furthermore, IdPs and SPs must trust each other (politically and technically) that the meteadata is true.

Compared to OpenID, SAML is an older standard but it has had better support for federated identities.

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    Destination="https://id.muni.cz/simplesaml/saml2/idp/SSOService.php"
                    ForceAuthn="false"
                    ID="_0x0200217906c38f9e4329a3b6ca0276a9"
                    IsPassive="false"
                    IssueInstant="2024-02-20T08:21:39.094Z"
                    Version="2.0">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        https://inet.muni.cz/pub/samlsp
    </saml:Issuer>
</samlp:AuthnRequest>

In our setup, an SP uses HTTP Redirect to send an authentication request;
within the HTTP request, the SAML XML is in a Base64-encoded zlib-compressed GET parameter.
The Issuer identifies the author of the request;
the value must be an URI – the convention is to use an URL where the SP’s SAML metadata is hosted.

SAML response

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="_b517a882c16f9477c4f2fab781864a78e6825bd7bc"
                Version="2.0"
                IssueInstant="2024-02-20T08:21:50Z"
                Destination="https://inet.muni.cz/saml2/sp/acs/post"
                InResponseTo="_0x0200217906c38f9e4329a3b6ca0276a9">
    <saml:Issuer>https://idp2.ics.muni.cz/idp/shibboleth</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_b517a882c16f9477c4f2fab781864a78e6825bd7bc">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>3ocVfPlQb9rRXwmd9pKRIVYTBec5BsSkCcEGuhA36yU=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>AMwC6GrHy0FHRQirWdI3Tzmf7sV1xAOollpAPIOuKFwny5+eFhG6D+OE+V4MfWxSch0P2cOxGTjhzI8F+8Z/vWsa0E3GzxJ+D6ehRwnZ7EwZuVT1WPWWsm5lMWtgleMowldCm1RZTRHQF9wW65ByaLj8C3dvsz2kPYobxtBs81RNmHwnD2LRisieLJUgC0higQuu8+Sl1KwMbYYnkKUZE5rYRvHjPju2Mqe9VNkfE/49GbbMliZg0ke5HBQRzKmXqiY7ka2vzx7nfAxUwZinTG6Kzc8NTLb3rMng/bkP18ZYPCz3sf3pYgnrKUPlw19EnFfC+jfu+RNaIfnCOaAroA==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIC/TCCAeWgAwIBAgIJAJ18Q00DtkMIMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNVBAMMCmlkLm11bmkuY3owHhcNMTYxMTA0MTQ0OTMwWhcNMjYxMTAyMTQ0OTMwWjAVMRMwEQYDVQQDDAppZC5tdW5pLmN6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwDHZ5X2M7lJN7t2e5zw3L3m3mme777OG0Qgoct5NpmgNbsHJ+9bh3sLxTkkf7F7I0kaCyxNyrFOaIvWQ75ndr4XHQRj5r/n+bp+8/sjn3Fnp2yzxNae8Sg74G8Sw1du74coJ8Ftjqo/ODyamRW4wgk+DkNIk8VSOD0CJkEpFxdwwBMsPZMgXRYIxRCOIzjpyo/R38ai4w+rf0zVry+duX0Xyv1ByNgrYAG02/AgRcXcFsODvxL1M47ubbpgmks1gcXxR4+jINz0mQNpEGtu/EZ5JZerZM2J99CVpTcI6KP4anf3yDgKYjoQTzdBQALFIwpt5BseYI7E1yxeLZBu9/QIDAQABo1AwTjAdBgNVHQ4EFgQUibREYbTm5VVSnoTFcZxMvWsH+mUwHwYDVR0jBBgwFoAUibREYbTm5VVSnoTFcZxMvWsH+mUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAQoIIi4XnqWbGRZ1gXmhcJVTiDdcf39dp1IiQZ7X0fAWLR4h9AO5ww8JFzj5aQMeybM+ZSl8t6HspVAKNz3fqEoYPSixK32uKV/GP46sos/Dwp04U4XR+smAsc5jbTwndP7tiMPMf03Own4mG1ZeR2s9LYf8sFV+FSjOBP3zlwWK8RAOJwRQXs5Bn9rtYAOdDrqqqwUWUSNXE2o9hq0/W65DmqbnUTOCOAe72FqLryS0ytFZGXm8R1gMZI1uMfEM76/+WvYFuCeMvROAoVwJH8aK7davxoM0w3JqUpzZy1dqQ9rTys3u2GffiPCsju+OJ7uEsbhR7eYegxCpRKLp58Q==</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    ID="_68d661819a5d5c3429e9213021d85d8bdaeeabcdf6"
                    Version="2.0"
                    IssueInstant="2024-02-20T08:21:50Z">
        <saml:Issuer>https://idp2.ics.muni.cz/idp/shibboleth</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#_68d661819a5d5c3429e9213021d85d8bdaeeabcdf6">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>6zoycCgW25ZXWDKvBtDD22VF4Yuvzfs4o+kWguLca4U=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>Yr3jbinn1hwfKmZeyZ4OgYLj37s8Y0/9dya9vyrtI9Qnfy0wklBUBpOW7fEvIz3MvFmK1/GE/AcL08WiaFNCVIwRNRnqN+NTS7M+ik2kXu/4o2tGMNNLP7+NtTsrkUc0qNvLib//4r+Gcfkfp7AZ9rSj+K1bYcsUeQLBa2+7LdDLPdTT1e0t4Z52cAOcC/So1Asja+BUv7GLM9fDKUOapLxkLNAPcwcwaAZ8meWIosyFkoQSlOPrs0Wbo4nKPL5+yoijrPa/wQbAo64dP01zqfXZoIIfJcPNLbTPV1e1LTUZNaxDcl2TS5eHkQeKogwVfiyV6ylPldV/NQX7+aCj+Q==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIC/TCCAeWgAwIBAgIJAJ18Q00DtkMIMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNVBAMMCmlkLm11bmkuY3owHhcNMTYxMTA0MTQ0OTMwWhcNMjYxMTAyMTQ0OTMwWjAVMRMwEQYDVQQDDAppZC5tdW5pLmN6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwDHZ5X2M7lJN7t2e5zw3L3m3mme777OG0Qgoct5NpmgNbsHJ+9bh3sLxTkkf7F7I0kaCyxNyrFOaIvWQ75ndr4XHQRj5r/n+bp+8/sjn3Fnp2yzxNae8Sg74G8Sw1du74coJ8Ftjqo/ODyamRW4wgk+DkNIk8VSOD0CJkEpFxdwwBMsPZMgXRYIxRCOIzjpyo/R38ai4w+rf0zVry+duX0Xyv1ByNgrYAG02/AgRcXcFsODvxL1M47ubbpgmks1gcXxR4+jINz0mQNpEGtu/EZ5JZerZM2J99CVpTcI6KP4anf3yDgKYjoQTzdBQALFIwpt5BseYI7E1yxeLZBu9/QIDAQABo1AwTjAdBgNVHQ4EFgQUibREYbTm5VVSnoTFcZxMvWsH+mUwHwYDVR0jBBgwFoAUibREYbTm5VVSnoTFcZxMvWsH+mUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAQoIIi4XnqWbGRZ1gXmhcJVTiDdcf39dp1IiQZ7X0fAWLR4h9AO5ww8JFzj5aQMeybM+ZSl8t6HspVAKNz3fqEoYPSixK32uKV/GP46sos/Dwp04U4XR+smAsc5jbTwndP7tiMPMf03Own4mG1ZeR2s9LYf8sFV+FSjOBP3zlwWK8RAOJwRQXs5Bn9rtYAOdDrqqqwUWUSNXE2o9hq0/W65DmqbnUTOCOAe72FqLryS0ytFZGXm8R1gMZI1uMfEM76/+WvYFuCeMvROAoVwJH8aK7davxoM0w3JqUpzZy1dqQ9rTys3u2GffiPCsju+OJ7uEsbhR7eYegxCpRKLp58Q==</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID SPNameQualifier="https://inet.muni.cz/pub/samlsp"
                         Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">999999</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2024-02-20T08:26:50Z"
                                              Recipient="https://inet.muni.cz/saml2/sp/acs/post"
                                              InResponseTo="_0x0200217906c38f9e4329a3b6ca0276a9" />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2024-02-20T08:21:20Z"
                         NotOnOrAfter="2024-02-20T08:26:50Z">
            <saml:AudienceRestriction>
                <saml:Audience>https://inet.muni.cz/pub/samlsp</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2024-02-20T08:21:50Z"
                             SessionNotOnOrAfter="2024-03-21T08:21:50Z"
                             SessionIndex="_a73e775221b6a3d3ec9f0f81fd6202251c1dd16cee">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>https://refeds.org/profile/sfa</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.1"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue xsi:type="xs:string">999999</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue xsi:type="xs:string">999999@muni.cz</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:oid:2.16.840.1.113730.3.1.241"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue xsi:type="xs:string">Jamie Doe</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:oid:2.5.4.4"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue xsi:type="xs:string">Doe</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:oid:2.5.4.42"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue xsi:type="xs:string">Jamie</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue xsi:type="xs:string">999999@mail.muni.cz</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

In our setup, an IdP uses an HTTP POST to return the authentication response;
within the HTTP request, the SAML XML is in a Base64-encoded zlib-compressed POST parameter.
The Issuer identifies the author of the response;
the value must be an URI – the convention is to use an URL where the IdP’s SAML metadata is hosted.
The Signature contains data necessary to verify the digital signature of the SAML response;
asymmetric cryptography is typically used.
The Status value shows the result of the authentication.
The Subject element contains a NameID element, which is an identifier of the user. The NameID may have multiple formats. Because it is quite complicated, most SPs prefer getting user’s identifier(s) from the attributes in the AttributeStatement (see below).

SAML assertions

SAML assertions are packets of security information containing authentication, attribute and authorization decision statements which the SP uses for access control. The assertions can be signed or encrypted independently of the rest of the SAML response.

In the sample SAML response above:

The Signature contains data necessary to verify the digital signature of the SAML assertion;
asymmetric cryptography is typically used.
The Conditions narrow down the validity of the assertion.
The AuthnStatement describes how the IdP authenticated the subject.
The AttributeStatement contains a collection of subject attributes (see below).

SAML attributes

SAML attributes are simple name-value pairs – values are typically plain text strings. Since both SP and IdP must recognize the attributes they exchange, attribute names usually follow one or more common schemas such as LDAP schema, eduPerson schema or SCHAC schema.

Best practice is for an SP to require a minimum set of attributes. This approach is both favoured by GDPR and decreases the risk of an IdP failing to send an attribute it does not recognize.

SAML federation

A SAML federation collects published metadata from all of its member IdPs and SPs, aggregates it in a single XML file and distributes the file back to the member IdPs and SPs. As a result, each IdP has a list of all SPs in the federation and vice versa. A federation can use dedicated software like pyFF to do this.

Furthermore, in a federated environment, SAML metadata can contain Entity Categories. SPs labeled with a category must conform to all of its required characteristics (e.g. having a Code of Conduct) and this information can be used by an IdP (e.g. include or exclude some attributes). IdPs labeled with a category claim interoperability with a respective SP category and this information can be used by SP (e.g. optimize user experience of authentication). Entity categories can be self-declared or assigned by the federation.

Perun

Security Assertion Markup Language (SAML)

Read more

SAML request

SAML response

SAML assertions

SAML attributes

SAML federation