安全主张标记语言(英语:Security Assertion Markup Language,简称SAML,发音)是一个基于XML的开源标准数据格式,它在当事方之间交换身份验证和授权数据,尤其是在身份提供者(英语:Identity provider)和服务提供者之间交换。SAML是OASIS安全服务技术委员会的一个产品,始于2001年。其最近的主要更新发布于2005年,但协议的增强仍在通过附加的可选标准稳步增加。
SAML解决的最重要的需求是网页浏览器单点登录(SSO)。单点登录在内部网层面比较常见,(例如使用Cookie),但将其扩展到内部网之外则一直存在问题,并使得不可互操作的专有技术激增。(另一种近日解决浏览器单点登录问题的方法是OpenID Connect(英语:OpenID Connect)协议)
SAML规范定义了三个角色:委托人(通常为一名用户)、身份提供者(英语:Identity provider)(IdP),服务提供者(SP)。在用SAML解决的使用案例中,委托人从服务提供者那里请求一项服务。服务提供者请求身份提供者并从那里并获得一个身份主张。服务提供者可以基于这一主张进行访问控制的判断——即决定委托人是否有权执行某些服务。
在将身份主张发送给服务提供者之前,身份提供者也可能向委托人要求一些信息——例如用户名和密码,以验证委托人的身份。SAML规范了三方之间的主张,尤其是主张身份消息是由身份提供者传递给服务提供者。在SAML中,一个身份提供者可能提供SAML主张给许多服务提供者。同样的,一个服务提供者可以依赖并信任许多独立的身份提供者的主张。
SAML没有规定身份提供者的身份验证方法;他们大多使用用户名和密码,但也有其他验证方式,包括采用多重要素验证。诸如轻型目录访问协议、RADIUS和Active Directory等目录服务允许用户使用一组用户名和密码登录,这是身份提供者使用身份验证令牌的一个典型来源。许多流行的互联网社交网络服务也提供身份验证服务,理论上他们也可以支持SAML交换。
OASIS安全服务技术委员会(SSTC)于2001年1月首次举行会议,提出“定义一个用于交换身份验证和授权的XML框架。”为完成此目标,下列知识产权在该年的头两个月内向SSTC进行了捐献:
在这项工作的基础上,OASIS于2002年11月宣布“安全主张标记语言”(SAML)V1.0规范成为一个OASIS标准。
与此同时,大型企业、非营利及政府组织的联盟Liberty Alliance(英语:Liberty Alliance)提出了一个扩展SAML标准的“自由联盟统一联合框架”(ID-FF)。与其前身SAML类似,Liberty ID-FF提出了一个标准化、跨域、基于Web的单点登录框架。此外,Liberty描绘了一个“信任圈”(circle of trust),其中每个参与域被信任将准确记录识别用户的过程、所使用的身份验证类型,以及任何与生成身份验证凭据相关的策略。信任圈中的其他成员可以查验这些策略,以决定是否信任此类信息。
虽然ID-FF开发了Liberty,SSTC已开始小规模升级到SAML规范。这使得SSTC在2003年9月批准了SAML V1.1规范。在同月,Liberty将ID-FF贡献至OASIS,从而为SAML下一版本奠基。2005年3月,SAML V2.0被宣布成为一项OASIS标准。SAML V2.0意味着Liberty ID-FF及其他专有扩展的收敛,以及包括SAML本身的早期版本。大多数SAML实现支持V2.0,并也大多支持V1.1以实现向后兼容。截至2008年1月,SAML V2.0的开发已在政府、高等教育和全球商业企业中普遍存在。
SAML自V1.0以来已进行一次重大及一次次要修订。
Liberty Alliance在2003年9月将其自由联盟统一联合框架(ID-FF)贡献至OASIS SSTC:
SAML的1.0和1.1版本很类似,仅存在微小差异。
SAML 2.0与SAML 1.1则有着实质性的差异。虽然两者都是解决相同的使用案例,但SAML 2.0与1.1并不兼容。
尽管ID-FF 1.2已作为SAML 2.0的基础贡献至OASIS,但在SAML 2.0与ID-FF 1.2之间有着一些重要的差异。尤其是尽管这两个规范同根同源,但两者并不兼容。
SAML 创建在一些现有标准之上:
SAML很大程度上依赖超文本传输协议作为其通信协议。
SAML定义了基于XML的主张、协议、绑定和配置。术语SAML核心(SAML Core)指SAML主张的一般语法和语义,以及用于请求和在系统实体间传输这些主张的协议。SAML协议指谁来传输,而不是如何传输(后者由所选择的绑定决定)。因此SAML核心只定义了“纯粹的”SAML主张,以及SAML的请求和响应元素。
SAML绑定决定SAML请求和响应如何映射到标准的消息或通信协议。一个重要的、同步的绑定是SAML SOAP绑定。
SAML配置是使用特定主张、协议和绑定组成的适用于所定义使用情况的一个具体表现形式。
一个SAML主张包含一个安全信息包:
<saml:Assertion ...> .. </saml:Assertion>
简而言之,依赖方按下述方式解释一个主张:
主张是在条件 有效的前提下由发布者 关于主题在时间
SAML主张通常从IdP传送到SP。主张包括一些SP用来做权限控制的。SAML提供如下三种语句:
会向SP主张,该委托人确实被IdP在一个特定的时间通过一个特定的认证方式成功认证。关于该被认证的委托人的其他信息(也叫)也可能会包含在一条身份验证声明中。
明会主张,一个主题和一些属性关联。一个属性是一个简单的键值对。依赖方使用属性来实现访问控制。
授权决策声明会主张,在证据下一个主题是否被允许在资源上执行动作。SAML中的授权决策声明的功能被有意的限制了,因为在更高级的使用场景中更推荐使用XACML。
A SAML describes how certain SAML elements (including assertions) are packaged within SAML request and response elements, and gives the processing rules that SAML entities must follow when producing or consuming these elements. For the most part, a SAML protocol is a simple request-response protocol.
The most important type of SAML protocol request is called a . A service provider makes a query directly to an identity provider over a secure back channel. Thus query messages are typically bound to SOAP.
Corresponding to the three types of statements, there are three types of SAML queries:
Of these, the is perhaps most important (and still the object of much research). The result of an attribute query is a SAML response containing an assertion, which itself contains an attribute statement. See the SAML 2.0 topic for an example of attribute query/response(英语:SAML 2.0#SAML Attribute Query).
Beyond queries, SAML 1.1 specifies no other protocols.
SAML 2.0 expands the notion of considerably. The following protocols are described in detail in SAML 2.0 Core:
Most of these protocols are completely new in SAML 2.0.
A SAML is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols. For example, the SAML SOAP binding specifies how a SAML message is encapsulated in a SOAP envelope, which itself is bound to an HTTP message.
SAML 1.1 specifies just one binding, the SAML SOAP Binding. In addition to SOAP, implicit in SAML 1.1 Web Browser SSO are the precursors of the HTTP POST Binding, the HTTP Redirect Binding, and the HTTP Artifact Binding. These are not defined explicitly, however, and are only used in conjunction with SAML 1.1 Web Browser SSO. The notion of binding is not fully developed until SAML 2.0.
SAML 2.0 completely separates the binding concept from the underlying profile. In fact, there is a brand new binding specification in SAML 2.0(英语:SAML 2.0#SAML 2.0 Bindings) that defines the following standalone bindings:
This reorganization provides tremendous flexibility: taking just Web Browser SSO alone as an example, a service provider can choose from four bindings (HTTP Redirect, HTTP POST and two flavors of HTTP Artifact), while the identity provider has three binding options (HTTP POST plus two forms of HTTP Artifact), for a total of twelve (12) possible deployments of the SAML 2.0 Web Browser SSO Profile.
A SAML describes in detail how SAML assertions, protocols, and bindings combine to support a defined use case. The most important SAML profile is the Web Browser SSO Profile.
SAML 1.1 specifies two forms of Web Browser SSO, the Browser/Artifact Profile and the Browser/POST Profile. The latter passes assertions whereas Browser/Artifact passes assertions . As a consequence, Browser/Artifact requires a back-channel SAML exchange over SOAP. In SAML 1.1, all flows begin with a request at the identity provider for simplicity. Proprietary extensions to the basic IdP-initiated flow have been proposed (by Shibboleth(英语:Shibboleth (Internet2)), for example).
The Web Browser SSO Profile was completely refactored for SAML 2.0. Conceptually, SAML 1.1 Browser/Artifact and Browser/POST are special cases of SAML 2.0 Web Browser SSO. The latter is considerably more flexible than its SAML 1.1 counterpart due to the new "plug-and-play" binding design of SAML 2.0. Unlike previous versions, SAML 2.0 browser flows begin with a request at the service provider. This provides greater flexibility, but SP-initiated flows naturally give rise to the so-called problem, the focus of much research today. In addition to Web Browser SSO, SAML 2.0 introduces numerous new profiles:
Aside from the SAML Web Browser SSO Profile, some important third-party profiles of SAML include:
SAML规范推荐、并在某些情况下要求各种安全机制:
Requirements are often phrased in terms of (mutual) authentication, integrity, and confidentiality, leaving the choice of security mechanism to implementers and deployers.
SAML的主要用途是“网页浏览器单点登录(SSO)。A user wielding a (usually a web browser) requests a web resource protected by a SAML . The service provider, wishing to know the identity of the requesting user, issues an authentication request to a SAML through the user agent. The resulting protocol flow is depicted in the following diagram.
https://sp.example.com/myresourceThe service provider performs a security check on behalf of the target resource. If a valid security context at the service provider already exists, skip steps 2–7.
https://idp.example.org/SAML2/SSO/Redirect?SAMLRequest=requestThe value of the
SAMLRequest parameter is the Base64 encoding of a deflated <samlp:AuthnRequest> element.SAMLRequest parameter is taken from the URL query string at step 2. The SSO service processes the AuthnRequest and performs a security check. If the user does not have a valid security context, the identity provider identifies the user (details omitted). <form method="post" action="https://sp.example.com/SAML2/SSO/POST" ...> <input type="hidden" name="SAMLResponse" value="response" /> ... <input type="submit" value="Submit" /> </form>SAMLResponse parameter is the base64 encoding of a <samlp:Response> element.SAMLResponse parameter is taken from the XHTML form at step 4.https://sp.example.com/myresource
In SAML 1.1, the flow begins with a request to the identity provider's inter-site transfer service at step 3.
In the example flow above, all depicted exchanges are , that is, an HTTP user agent (browser) communicates with a SAML entity at each step. In particular, there are no or direct communications between the service provider and the identity provider. Front-channel exchanges lead to simple protocol flows where all messages are passed using a simple HTTP binding (GET or POST). Indeed, the flow outlined in the previous section is sometimes called the .
Alternatively, for increased security or privacy, messages may be passed . For example, an identity provider may supply a reference to a SAML assertion (called an ) instead of transmitting the assertion directly through the user agent. Subsequently, the service provider requests the actual assertion via a back channel. Such a back-channel exchange is specified as a SOAP message exchange (SAML over SOAP over HTTP). In general, any SAML exchange over a secure back channel is conducted as a SOAP message exchange.
On the back channel, SAML specifies the use of SOAP 1.1. The use of SOAP as a binding mechanism is optional, however. Any given SAML deployment will choose whatever bindings are appropriate.
