SAML Basics
Last updated
Last updated
Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). What that jargon means is that you can use one set of credentials to log into many different websites. It’s much simpler to manage one login per user than it is to manage separate logins to email, customer relationship management (CRM) software, Active Directory, etc.
SAML transactions use Extensible Markup Language (XML) for standardized communications between the identity provider and service providers. SAML is the link between the authentication of a user’s identity and the authorization to use a service. (From )
OAuth is a slightly newer standard that was co-developed by Google and Twitter to enable streamlined internet logins. OAuth uses a similar methodology as SAML to share login information. SAML provides more control to enterprises to keep their SSO logins more secure, whereas OAuth is better on mobile and uses JSON.
Step 1 - We try to access some protected resource
Step 2 - The server where that resource resides (Service Provider) doesn’t know us, so it generates a SAML Request to be sent to the Identity Provider. This would be like showing up to Germany without our passport and getting sent back to the US to get our passport before being able to get into the country.
Step 3 - After generating the SAML Request, the SP redirects us to the IdP. Note: The SAML Request passes through our browser on the way to the IdP.
Step 4 - The IdP receives the SAML Request
Step 4a (not pictured) - The IdP provides some means of authentication; a login form or something similar.
Step 4b (not pictured) - The IdP validates us as a legitimate user that should be allowed to access the resource included as part of the SAML Request
Step 5 - The IdP creates a SAML Response. The SAML Response contains the SAML Assertions necessary for the SP. The Assertion usually includes the following information at a minimum: Indication that the Assertion is from the correct IdP, a NameID attribute specifying who the user is, and a digital signature. The SAML Response also passes through our browser.
Step 6 - The IdP redirects us to the SP’s Assertion Consumer Service (ACS) URL. The ACS is simply the URL on which the SP expects to receive SAML assertions.
Step 7 - The ACS validates the SAML Response.
Step 8 - We are allowed to access the resource we originally requested.
shibdemo-sp1.test.edu is a local virtualized instance of an IdP and SP for testing, not an actual site
The SP generates a SAML Request because we’re not authenticated. We can see the raw SAML Request below.
AssertionConsumerServiceURL: Identifies where the IdP should send the SAML Response to after authentication
Destination: Indicates the address to which the request should be sent (IdP)
ProtocolBinding: Typically accompanies the AssertionConsumerServiceURL attribute; defines the mechanism by which SAML protocol messages will be transmitted
saml:Issuer: Identifies the entity that generated the request message
With the SAML Request created, the SP now replies to our GET request for /secure/ with a 302 redirect. The 302 directs our browser to head over to the IdP. The SAML Request is encoded into the HTTP response’s Location header as part of the 302.
The RelayState parameter sent along with the SAML Request is state information sent by the SP to the IdP so that the SP knows who initially asked for the resource when the SAML Response comes back. The SAML Response must contain the same RelayState value.
Let’s start by taking a look at the raw SAML Response.
saml:Assertion: Contains information about the user’s identity and potentially other user attributes.
saml:Subject: Specifies the principal that is the subject of all of the statements in the assertion.
saml:StatusCode: A code representing the status of the activity carried out in response to the corresponding request.
saml:Conditions: Specifies things like the time an Assertion is valid and that the Assertion is addressed to a particular Service Provider.
saml:AuthnStatement: States that the IdP authenticated the Subject of the Assertion.
saml:AttributeStatement: Contains Attributes that describe the Subject of the Assertion.
Here’s a more straightforward visual representation of the same SAML Response.
Now that we’ve authenticated with the IdP and it has generated the SAML Response above, it responds to our authentication with another 302 redirect.
The 302 ultimately leads to us making a POST request to the Service Provider’s Assertion Consumer Service URL. The POST body contains the RelayState and SAMLResponse parameters. Recall that the ACS processes and validates the SAML Response.
Once the POST request is received, and the SAML Response is validated, we can access the protected resource we initially requested.
We’re almost done covering all the basics we need to cover in order to move on to the actual testing! The last item we need to cover is XML Signatures. Interestingly, XML Signatures can be used to sign either a whole XML tree or specific elements within the tree. We already saw earlier that two separate XML Signatures were used in our example SAML Response. Each signature was responsible for a different part of the Response. In this section, we’ll look at the different ways an XML Signature can be incorporated into an XML document. Something to note is that while our examples use the Response element as the resource to be signed, XML Signatures can be applied to any Object, including Assertion elements.
A basic XML Signature is comprised of the following elements.
Of particular note for us is that each resource to be signed has its own Reference element. The Reference element’s URI attribute denotes which resource is signed by that particular Signature. By examining our example from earlier, we can see this in practice.
What we saw in our example earlier is known as an enveloped signature. An enveloped signature is a signature that is a descendant of the resource it’s signing. We can see that spelled out for us in the ds:Transform element of our example.
In addition to enveloped signatures, there are enveloping signatures where the signature wraps the resource, instead of the other way around.
Finally, there are detached signatures. A detached signature is neither wrapping nor is it wrapped by the resource to be signed. Instead, it is wholly separate from the signed resource.
Let’s take a closer look at steps 2 and 3 outlined above. We’ll make a request to the example Service Provider for the resource located at , which as its name implies, is content that requires us to be authenticated to view.
We’ve outlined the more pertinent elements of the request above, but details about any of the other elements can be viewed in the . The request above goes something like this: “Hey, please authenticate the user that sent this message to you and then have that same user hit me up when you two are done”.
The SAMLRequest parameter is a compressed and encoded version of the same raw xml snippet we looked at earlier. SAML uses the algorithm then base64 encodes the result.
We’re going to eschew stepping through the part where the user authenticates to the IdP and jump straight into steps 5 and 6 from what was discussed in the . Just keep in mind that what we’re going to look at happens after the user authenticates to the IdP.
ds:Signature: An that protects the integrity of and authenticates the issuer of the assertion; the SAML assertion MAY be signed but doesn’t have to be. The example above contains two ds:Signature elements. The reason is that one is the message’s signature; the other is the Assertion’s signature.
Most of the content was copied from
