What is SAML

Security based XML protocol for user authentication, limited user authorization. More advanced authorization is suggested to use XACML.
SAML helps in achieving SSO(Single Sign On). SAML usses SOAP 1.1. It uses [HTTP](Networking/OSI-Layers/Layer-7/Protocols) underlying.

Usage of SAML

XML Digital Signature for authentication and Integrity. XML Encryption: Uses encrypted name identifiers, encrypted attributes, and encrypted assertions

How SAML works

SSO authentication process involves these 3 parties:
a. Principal/Subject: Identity/Human which need to be authenticated
b. Identity Provider(IdP): Authenticates the principal. Methods: Username/password, Multifactor auth, AD, ldap, radius etc.
c. Service Provider(SP): cloud-hosted application or service the user wants to use. Eg: Gmail, AWS S3 etc.
3 types of SAML Queries: Authentication query, Attribute query, Authorization decision query

Message Exchange

Principal/User                SP(service Provider)
---Give access to cloud service-->                        IdP(Identity Provider)
                                    -----SAML Request------>
                                    <-----SAML Response-----

<-------------------  Login   ----------------------------------
--------------------  Password  ------------------------------->
    
                                    <----- SAML Assertion --------
<------- Given Access ---- Access
------------------------------------Access Service ----------------------------> Cloud-Service
        

SAML Request, Response Example

SP(service provider)                                         Identity Provider
samlp:AuthnRequest 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0"
    ID ="asknalskn"		//Identifier(generated by SP)
    IssueInstant="2017-02-02:12:56"	//SP can accept response before this time
    Destination="http://test.sp.com"	//URL of SP
    AssertionConsumerServiceURL=".."	//Where response should goto when user is authenticated
    Issuer=".."			//
samlp:AuthnRequest			               ------------------------>

SP(service provider)                                         Identity Provider
                                                    ID="requestID"
                                                    Destination=""				//Assertion consumer service
                                                    saml2:Assertion xmlns:saml2=".."//Multiple signed assertions
                                                    saml2:Condtions NotBefore="2017-02-02" Not-After=""//Validity windows for response
            <-----------------------                ...
        

SAML Assertion

Message that tells a service provider that a user is signed in.
It contains all information, Eg: source of assertion, time issued.
There are 3 kinds of assertion:
1. Authentication statements: assert to the service provider that the principal did indeed authenticate with the identity provider
2. Attribute statements: principal is associated with certain attributes (name/value pairs).
3. Authorization decision statements: principal is permitted to perform action A on resource R given evidence E.