Any automated identity system needs one thing – the ability to create and distribute the authentication of users credentials and the rights that they assert. Many people look initially to the world leader – Kerberos but there are other systems which are just as capable. In later years, SAML (Security Assertion Mark Up Language) has become increasingly popular and is becoming something of an industry standard. There are good, practical reasons why SAML has become popular including it’s ability to use XML to represent various security credentials. It defines a protocol to request and receive the various credential data which flows from a SAML authority service.
In reality although SAML can look quite complicated on first glance it is relative straight forward to use. It’s ideally positioned to deal with security and authentication issues online, including the many users who protect their privacy and indulge in anonymous surfing for example. Remember the security assertions will normally only be for a particular domain which means that the user’s identity can be protected to some extent.
A SAML authority can be described as a service usually online which responds to specific SAML request. We define these requests as assertions and they come in three distinct types:
Authentication: a SAML authority receives a request about a specific user’s credentials. The reply will stipulate that the authentication was completed and at what time.
Attribute: when an authentication assertion has been returned, a SAML attribute authority can be asked for the attributes associated with the subject. These are returned and are known as attribute assertions.
Authorization: a SAML authorization assertion is returned in response to a request about permissions to specified resources. This will be referenced against an access control list with the relative permissions and could even be dynamically referenced and updated. the response would typically be quite simple – i.e that subject A has been granted permission for access to resource Z.
Although all these assertions are quite distinct, it is very likely that they all take place on a single authority. However in highly secure or distributed systems they may be spread across distinct servers in a domain.
SAML has become more popular because it is ideal for use in web based and distributed systems as opposed to Kerberos which is not as flexible. For example it could be used to allocate permissions for users to download videos like this based on permissions assigned to a subscriber. This means that the permissions can be integrated with all sorts of web services and functions including integration with SOAP. This is of course an advanced protocol often used for exchanging information in a structured format across computer networks.