LLMpediaThe first transparent, open encyclopedia generated by LLMs

Security Assertion Markup Language

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: WPA Hop 4
Expansion Funnel Raw 79 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted79
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Security Assertion Markup Language
NameSecurity Assertion Markup Language
DeveloperOASIS
Released2002
Latest release2.0 (2005)
TypeXML-based protocol

Security Assertion Markup Language is an XML-based framework for exchanging authentication and authorization data among parties in a distributed environment. It enables single sign-on and federated identity scenarios by transporting assertions about subjects between identity providers and service providers, supporting integrations across platforms such as Oracle Corporation, Microsoft, IBM, Google LLC, and Amazon Web Services. The specification is maintained by OASIS (organization), and implementations interoperate with deployments from vendors like Ping Identity, Okta, Inc., ForgeRock, and Shibboleth.

Overview and Purpose

SAML provides a standardized format for conveying assertions about users, relying on XML schemas and extensions defined by OASIS (organization), and is frequently used alongside standards such as XML Signature, XML Encryption, X.509, Transport Layer Security, and OAuth 2.0. It addresses cross-domain single sign-on requirements in ecosystems involving University of Cambridge, University of Oxford, NASA, Department of Defense (United States), and enterprises such as Salesforce and Workday. The protocol separates roles of asserting and consuming parties—identity providers, service providers, and brokers—enabling federations like InCommon, eduGAIN, and UK Access Management Federation.

History and Development

SAML originated from collaborations among vendors and research institutions during early 2000s federated identity efforts involving Liberty Alliance Project, Internet2, and Microsoft. The first SAML 1.0 specification resulted from work by OASIS members including Entrust Corporation, Sun Microsystems, and Novell. SAML 2.0 consolidated concepts from Liberty Alliance and was published with contributions from Shibboleth Project, Oracle Corporation, and IBM, aligning with practices used by European Commission initiatives and national identity programs such as GovPass-style projects in countries like Estonia, Sweden, and Germany.

Architecture and Components

The SAML architecture defines assertions, protocols, bindings, and profiles, with core elements implemented by identity providers and service providers and mediated by intermediaries like Kantara Initiative-certified brokers. Assertions assert authentication, attribute, or authorization decision statements often referencing standards like SAML Subject Confirmation, SAML AttributeProfile, and XACML from OASIS (organization). Metadata describing entities uses standards influenced by W3C, IETF, and federations such as eduGAIN and GEANT. Components interoperate with certificate management from organizations such as IETF and with directories like Active Directory from Microsoft and OpenLDAP.

Protocol Bindings and Profiles

SAML supports multiple bindings—HTTP Redirect, HTTP POST, HTTP Artifact, and SOAP—reflecting interoperability with World Wide Web Consortium, IETF, and enterprise stacks from Apache Software Foundation projects such as Apache HTTP Server and Tomcat (software). Profiles, including Web Browser SSO and Enhanced Client or Proxy (ECP), map use cases to bindings and message flows used by vendors like Akamai Technologies and Cloudflare. Integrations often combine SAML with OAuth 2.0 and OpenID Connect in hybrid deployments at companies like Facebook, Twitter, and LinkedIn.

Security Considerations and Threats

SAML deployments face threats including replay, XML signature wrapping, assertion tampering, and cross-site request forgery, with mitigations employing XML Signature, XML Encryption, strict clock skew policies, and X.509 certificate validation standards referenced by IETF RFCs. Security reviews by researchers affiliated with MIT, Stanford University, and Carnegie Mellon University have influenced best practices adopted by vendors such as Entrust Corporation, DigiCert, and Symantec. Federated identity risk management often follows guidelines from NIST, ENISA, and national security bodies including US-CERT.

Use Cases and Implementations

Common use cases include enterprise single sign-on at organizations like Bank of America, Walmart, and General Electric, federated research access in consortia like CERN, European Organization for Nuclear Research, and consumer-facing authentication integrated by Salesforce, ServiceNow, and Workday. Open-source implementations include Shibboleth, SimpleSAMLphp, OpenSAML, and Keycloak from Red Hat, while commercial offerings are provided by Ping Identity, Okta, Inc., and OneLogin—all interoperating in federations such as InCommon and eduGAIN.

Standards and Interoperability

SAML is specified in a set of normative documents maintained by OASIS (organization), and interoperates with specifications from W3C (XML Signature, XML Encryption), IETF (TLS, X.509), and policy languages like XACML. Conformance testing and interoperability events are organized by consortia including Kantara Initiative, OpenID Foundation, and national federations such as JISC and DFN. The ecosystem includes certifications and compliance regimes influenced by ISO/IEC standards and guidance from regulators such as European Union Agency for Cybersecurity.

Category:Identity management