|
Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, that is, an identity provider, and a SAML consumer, that is, a service provider. SAML 2.0 enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user.〔https://www.youtube.com/watch?feature=player_embedded&v=50ogFCF56qE〕 SAML 2.0 was ratified as an OASIS Standard in March 2005, replacing SAML 1.1. The critical aspects of SAML 2.0 are covered in detail in the official documents SAMLConform,〔 SAMLCore,〔 SAMLBind,〔 and SAMLProf.〔 Some 30 individuals from more than two dozen companies and organizations were involved in the creation of SAML 2.0. In particular, and of special note, Liberty Alliance donated its Identity Federation Framework (ID-FF) specification to OASIS, which became the basis of the SAML 2.0 specification. Thus SAML 2.0 represents the convergence of SAML 1.1, (Liberty ID-FF 1.2 ), and (Shibboleth 1.3 ). ==SAML 2.0 Assertions== An assertion is a package of information that supplies zero or more statements made by a SAML authority. SAML assertions are usually made about a subject, represented by the * Authentication Assertion: The assertion subject was authenticated by a particular means at a particular time. * Attribute Assertion: The assertion subject is associated with the supplied attributes. * Authorization Decision Assertion: A request to allow the assertion subject to access the specified resource has been granted or denied. An important type of SAML assertion is the so-called "bearer" assertion used to facilitate Web Browser SSO. Here is an example of a short-lived bearer assertion issued by an identity provider ( saml: represents the SAML V2.0 assertion namespace.xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac" Version="2.0" IssueInstant="2004-12-05T09:22:05"> 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 Recipient="https://sp.example.com/SAML2/SSO/POST" NotOnOrAfter="2004-12-05T09:27:05"/> NotOnOrAfter="2004-12-05T09:27:05"> SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac"> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" FriendlyName="eduPersonAffiliation"> Note that in the above example the * a * a * a * a * a * a In words, the assertion encodes the following information: The assertion ("b07b804c-7c29-ea16-7300-4f3d6f7928ac") was issued at time "2004-12-05T09:22:05Z" by identity provider ( The authentication statement, in particular, asserts the following: The principal identified in the Likewise the attribute statement asserts that: The principal identified in the 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「SAML 2.0」の詳細全文を読む スポンサード リンク
|