LLMpediaThe first transparent, open encyclopedia generated by LLMs

SAML

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: OAuth Hop 3
Expansion Funnel Raw 69 → Dedup 5 → NER 4 → Enqueued 2
1. Extracted69
2. After dedup5 (None)
3. After NER4 (None)
Rejected: 1 (not NE: 1)
4. Enqueued2 (None)
Similarity rejected: 2
SAML
NameSAML
DeveloperOASIS
Released2002
Latest release2.0
Programming languageXML
LicenseOpen standard

SAML Security Assertion Markup Language is an XML-based open standard for exchanging authentication and authorization assertions between identity providers and service providers. It enables federated identity across domains belonging to organizations such as Microsoft, Google, Facebook, Amazon (company), and IBM and integrates with standards from OASIS, W3C, IETF, NIST, and ISO. SAML is widely implemented in enterprise products like Active Directory, Okta, Ping Identity, Oracle Corporation, and Salesforce.

Overview

SAML defines XML schemas and message exchanges enabling single sign-on and federation across entities including Amazon Web Services, Google Cloud Platform, Microsoft Azure, Salesforce, and ServiceNow. The specification separates roles such as identity provider and service provider similar to relationships in deployments by University of Michigan, Stanford University, University of Washington, CERN, and Internet2. Implementations interoperate with protocols and frameworks developed by OASIS, W3C, IETF, NIST, and vendors like VMware, Red Hat, Cisco Systems, and Dell Technologies.

History and Development

Work on the specification began in the early 2000s at OASIS with contributions from vendors and academic institutions including Liberty Alliance Project, Shibboleth, Internet2, MIT, and Johns Hopkins University. Major milestones include SAML 1.0, SAML 1.1, and the widely adopted SAML 2.0 which consolidated ideas from Liberty Alliance Project and influenced standards at W3C and IETF. Commercial adoption accelerated through deployments by IBM, Microsoft, Oracle Corporation, Sun Microsystems, and cloud providers like Amazon (company) and Google.

Architecture and Components

Core SAML elements include assertions, protocols, bindings, and profiles; assertions encapsulate statements about subjects such as authentication, attribute, and authorization decision assertions used by products from Okta, Ping Identity, OneLogin, and ForgeRock. Identity providers and service providers are often integrated with directories and services like Active Directory, LDAP, Azure Active Directory, Google Workspace, and Salesforce. Metadata documents list entity endpoints and keys much as deployments in Internet2, Shibboleth, CERN, and University of Oxford provide to federations. Security features rely on XML Signature and XML Encryption specified by W3C and implemented in toolkits from Apache Software Foundation, Oracle Corporation, Microsoft, and Red Hat.

Protocols and Bindings

SAML defines protocols (e.g., Authentication Request, Artifact Resolve) and bindings which map those protocols onto transport mechanisms such as HTTP POST, HTTP Redirect, and SOAP, compatible with infrastructure operated by Apache HTTP Server, NGINX, IBM WebSphere, and Microsoft IIS. Profiles such as Web Browser SSO, Enhanced Client or Proxy, and Single Logout are used in deployments by Salesforce, ServiceNow, Workday, and Box (company), and interwork with standards like OAuth 2.0 and OpenID Connect from IETF and OpenID Foundation.

Use Cases and Implementations

Common use cases include enterprise single sign-on in corporations like General Electric, Siemens, Procter & Gamble, and Pfizer, academia-wide federation across Internet2 campuses like Harvard University and University of California, and cloud service integration for providers including Amazon Web Services, Google Cloud Platform, Microsoft Azure, and IBM Cloud. Open-source implementations and toolkits include projects from Apache Software Foundation such as Apache CXF, OpenSAML from Shibboleth Project, and libraries maintained by Red Hat and ForgeRock. Commercial identity platforms providing SAML capabilities include Okta, Ping Identity, OneLogin, Auth0, Oracle Corporation, and Microsoft.

Security Considerations

Security considerations emphasize cryptographic signatures, encryption, replay protection, and strict time synchronization aligned with guidance from NIST, ENISA, ISO, and best practices advocated by OWASP. Vulnerabilities historically involved XML Signature wrapping, assertion replay, and metadata poisoning; mitigations are implemented in products from Microsoft, IBM, Oracle Corporation, VMware, and Cisco Systems. Operational security requires certificate management and trust establishment practices used by federations such as InCommon, eduGAIN, GÉANT, and large enterprises like AT&T and Verizon.

Standards and Interoperability

SAML is maintained within the OASIS Security Services Technical Committee and interacts with related standards from W3C (XML Signature, XML Encryption), IETF (OAuth, JWT), OpenID Foundation (OpenID Connect), and identity frameworks used by Internet2, eduGAIN, and Liberty Alliance Project. Interoperability testing is coordinated by industry groups and events run by OASIS, IETF, Internet2, and vendor consortiums including Cloud Security Alliance and large vendors like Microsoft, Google, Amazon (company), IBM, and Oracle Corporation.

Category:Computer security standards