Home > Articles > Programming

  • Print
  • + Share This
Like this article? We recommend

SAML (Security Assertion Markup Language)

SAML strives to provide a standard methodology to represent a principal's authentication and authorization information in XML format. This information can then be exchanged across intranets and the Internet. Thus, it enables sharing security and profile information across different segments involved in business (for example, customers, partners, and suppliers), regardless of their own enterprise security frameworks.

SAML is pioneered by OASIS, a non-profit organization for defining and promoting interoperable XML standards. It is a hybrid synthesis between two competing standards: AuthXML (from Securant/RSA to OASIS) and S2ML (from W3C and OASIS).

The SAML 1.0 specification set, released in Feb 2002, covers

  • Assertions: XML schema and definitions for exchanging security "assertions" across the services

  • Request/response protocol: XML schema and definitions for request/response model of transmitting security information

  • Bindings: specific SOAP calls over HTTP for transmitting SAML requests and responses

  • Profiles: for implanting and extracting SAML assertions

  • Security considerations: while using SAML

  • Conformance guidelines

  • A Test suite: use cases and requirements

In order to achieve single sign-on capability in Web services (which is what SAML is all about), the participating services should all be SAML-compliant.

Concept of Assertions

As the name suggests, the concept of assertions lies at the very root of SAML.

So, what is an assertion?

An assertion is a declaration of certain facts (statements) about a principal (subject). For example, an assertion can be made that a particular client was granted update and insert privileges to a specific database resource at a certain time.

The authority that issues assertions is known as the issuing authority. Applications and services, which trust the issuing authority and make use of its services, are called relying parties.

SAML makes use of the assertions concept to exchange security information across disparate systems and services. In a typical SAML cycle, the relying party, which needs to authenticate a specific client request, sends a SAML-based SOAP request to its issuing authority. The authority responds with a SAML assertion, which affirms the relying party with the security information requested.

There are mainly three kinds of assertions in the SAML realm. Regardless of their type, all SAML assertions include the following information:

  • Issuing authority and its timestamp

  • Assertion ID

  • Subject (Name + Security domain)

  • Terms and conditions against which the current assertion is valid (assertion validity timeframe, audience restriction, target restriction, and so on)

  • Additional "advice" (information on how the assertion was made, and so on)

Let's look at a typical SAML assertion with the above information, as shown in Figure 2.

Figure 2Figure 2 SAML assertion with common elements.

Types of Assertions

The three major types of SAML assertion are

  • Authentication assertion. This assertion says that a specific subject was authenticated by the issuing authority at a given time. (Example: Subject A has been authenticated by means of methodology B at time C.)

  • A typical authentication assertion looks like Figure 3.

    Figure 3Figure 3 SAML authentication assertion.

    One interesting fact is that the SAML authentication assertion merely informs you about an act of authentication that took place at a given time! It does not define any specific requirements or specifications for the actual authentication methodologies deployed (such as username-password checks, and so on). As of SAML 1.0, password exchange, challenge-response, and so on are not within the scope of SAML.

  • Attribute assertion. This assertion describes specific attributes of a subject as name-value pairs. (Example: Subject A has been associated with attributes B, C, and D; and with values E, F, and H at the time of this assertion.)

    A typical authentication assertion looks like the one shown in Figure 4.

    Figure 4Figure 4 SAML attribute assertion.

  • Authorization decision assertion. This assertion says whether a given subject has been granted specific permissions to access a particular resource. (Example: Can subject A with evidence B be permitted to access resource C with privilege D at this time E?)

Let's look at a typical authorization decision assertion, as shown in Figure 5. (In all the preceding examples, please note that subject A can be an actual user or a Web service.)

Figure 5Figure 5 SAML authorization decision assertion.

SAML does have the flexibility to extend this assertion framework and include custom-defined assertions based on the business need. But this comes at the cost of non-conformance to common and accepted standards.

If the issuing authority is hosted in a different domain, then the assertions can be digitally signed in order to ensure the authenticity of assertions. We will be looking at digital signatures later in this series.

SAML In Action

Let's look at the famous Producer—Consumer model of SAML interactions between the issuing authority and the relying party. (Have a look at Figure 6.)

Figure 6Figure 6 SAML Producer—Consumer model.

The cycle is as follows: The end user credentials are collected from the system entity by a credential collector and passed on to the relevant SAML issuing authorities. The authorities issue appropriate assertions, based on the policies that bind them. The assertions are then assembled into an SAML token.

Not all client requests need to go through all of these authorities, and the coordination among different authorities is not mandatory.

During the actual application request to access a specific resource, the system entity has to append the corresponding SAML token issued by the authorities. The policy enforcement point intercepts the request, and submits the SAML token to relevant SAML authority to decide whether the request can succeed or not.

SAML—Protocol Bindings and Profiles

Bindings define the standard way that SAML request/response messages should be transported across the authorities and parties by providing mappings between SAML messages and standard communication protocols. For example, the way to map SAML with SOAP over HTTP protocols has been defined; this paves the way for exchanging SAML information across several Web services in a standard manner.

A profile describes how SAML assertions are embedded into and extracted out of standard frameworks and protocol. Web browser profiles for single sign-on and SOAP profiles for securing SOAP payloads are some of the profiles defined.

Future of SAML

Products and toolkits that support the SAML infrastructure have started arriving in the market. Netegrity's JSAML toolkit is one of the earliest entrants in the foray. Check out http://www.netegrity.com/products for details.

From the Java/J2EE side, the Java Community Process is working on two Java specification requests (JSR 115 and JSR 155), which are associated with SAML. JSR 155, which attempts to provide a standard Java API over Web service security assertion, is likely to become the standard for incorporating SAML into Java/J2EE applications.

Also, efforts are underway to define Web service standards for J2EE containers and components (Java enterprise Web services—JSR 109). In combination with JSR 115—meant for defining Java authorization service provider contracts for containers—this will result in standardization of authentication and authorization APIs within J2EE. On this basis, it is widely believed that in the near future, many J2EE vendors will adopt SAML as the standard means of exchanging security assertions between distributed components and runtime environments.

One of the biggest stumbling blocks for SAML's widespread recognition and adoption is its notable omission from WS-Security—a major Web service security framework initiative from Microsoft/IBM. For details, see http://www-106.ibm.com/developerworks/library/ws-secmap.

Unless these two major vendors support SAML in the near future, its usage may be seriously limited to the Java sphere.

  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020