LLMpediaThe first transparent, open encyclopedia generated by LLMs

Security Assertion Markup Language (SAML)

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: OASIS Hop 4
Expansion Funnel Raw 73 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted73
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Security Assertion Markup Language (SAML)
NameSecurity Assertion Markup Language
AcronymSAML
DeveloperOASIS
Initial release2002
Latest release2.0
StatusActive

Security Assertion Markup Language (SAML) is an XML-based framework for exchanging authentication and authorization data between parties, widely used for single sign-on and federated identity across enterprise and cloud environments. It enables identity providers and service providers to communicate assertions about subjects, facilitating seamless access across domains while reducing repeated credential entry. SAML underpins many commercial and governmental deployments and integrates with standards from major organizations and technology vendors.

Overview

SAML provides a standardized assertion format and protocol bindings that allow entities such as Microsoft Corporation, IBM, Oracle Corporation, Amazon Web Services, and Google to federate identity information, and enables interoperability among implementations from vendors like Okta, Ping Identity, Salesforce, VMware, and Auth0. The specification, maintained by OASIS (organization), defines core concepts including assertions, protocols, bindings, and profiles that enable authentication, attribute sharing, and single logout across domains such as those operated by US Department of Defense, European Commission, International Monetary Fund, World Bank, and multinational enterprises. SAML assertions carry statements about subjects that can be consumed by relying parties, supporting scenarios where institutions including Harvard University, Stanford University, Massachusetts Institute of Technology, University of Oxford, and University of Cambridge rely on external identity providers.

History and Development

SAML originated from work in the early 2000s by consortiums including OASIS (organization) and contributors from companies such as Securant Technologies, Netegrity, Entrust, and Rivest, Shamir and Adleman-using implementers, with the first versions influenced by earlier initiatives like Liberty Alliance and specifications from MIT. Key milestones include SAML 1.0 and SAML 1.1 releases, followed by SAML 2.0 which incorporated concepts from the Shibboleth project and the Liberty Alliance Project, enabling broader adoption by academic federations (for example, InCommon and eduGAIN). Government and standards bodies such as NIST referenced SAML in identity frameworks, and major software vendors implemented SAML in products used across sectors including finance like Goldman Sachs and healthcare like Mayo Clinic.

Architecture and Components

The SAML architecture centers on three logical roles: the identity provider, the service provider, and the subject, implemented by software from organizations including Microsoft Corporation, Oracle Corporation, IBM, Red Hat, and VMware. Core components include SAML assertions, SAML protocols, and SAML bindings, with XML-based formats signed and optionally encrypted using standards from W3C and IETF, leveraging technologies like XML Signature and XML Encryption. Profiles such as Web Browser SSO map assertions and bindings to use cases, and metadata exchange—managed by bodies like eduGAIN and federations such as InCommon—describe endpoints and keys, enabling interoperability among systems deployed by institutions like NASA, European Space Agency, United Nations, and corporations such as Cisco Systems.

Protocols and Profiles

SAML defines protocols for request/response interactions and profiles that tailor those protocols to real-world scenarios, including Web Browser SSO, Enhanced Client or Proxy, and Single Logout, used by vendors like Okta, Ping Identity, and OneLogin. Bindings map protocols to transport mechanisms such as HTTP Redirect, HTTP POST, and SOAP, which are leveraged by enterprise identity solutions from IBM, Oracle Corporation, Microsoft Corporation, and cloud providers including Amazon Web Services and Google. Profiles are applied in federation deployments across academic and government federations such as InCommon, eduGAIN, GÉANT, and national identity schemes in countries like United Kingdom, Germany, Australia, and India.

Security and Threats

SAML security depends on proper use of XML Signature, XML Encryption, TLS, and secure key management practices advocated by standards bodies such as NIST and organizations including OWASP. Threats observed in deployments used by enterprises like JP Morgan Chase, Bank of America, and health systems like Kaiser Permanente include assertion replay, signature wrapping, XML external entity vulnerabilities, and misconfiguration leading to token spoofing. Mitigations adopted by vendors and projects—implemented in solutions from ForgeRock, Red Hat, Ping Identity, and Okta—include strict schema validation, audience restriction, assertion expiration, TLS mutual authentication, and automated metadata verification used in federations such as InCommon and government identity programs.

Implementations and Use Cases

SAML is implemented in identity and access management products from vendors including Microsoft Corporation (Active Directory Federation Services), Oracle Corporation (Identity Federation), IBM (Tivoli Federated Identity Manager), CA Technologies, and open-source projects such as Shibboleth, SimpleSAMLphp, Keycloak, and OpenSAML. Use cases span single sign-on for enterprise applications in corporations like Accenture, Deloitte, and PwC, research and education federations such as InCommon and eduGAIN, cloud service access for providers like Salesforce and ServiceNow, and government e-services in jurisdictions including United States, European Union, Canada, and Australia. Vertical deployments include banking at institutions like HSBC and Citigroup, healthcare networks like Cleveland Clinic, and public sector portals managed by agencies such as GOV.UK and US Department of Homeland Security.

Interoperability and Standards Compliance

Interoperability testing and conformance are coordinated by consortia and events involving OASIS (organization)],] Liberty Alliance Project, academic federations such as InCommon and eduGAIN, and vendors including Microsoft Corporation, IBM, Oracle Corporation, Okta, and Ping Identity. Compliance relies on adherence to related specifications from W3C, IETF, and guidelines from NIST, with metadata-driven federation practices used by organizations like GÉANT and national research networks. Ongoing efforts maintain compatibility across SAML implementations while integrating with protocols such as OAuth 2.0 and OpenID Connect in hybrid identity architectures used by cloud providers and enterprise integrators like Amazon Web Services, Google, and Microsoft Azure.

Category:Identity management