Show TOC

SAML 2.0Locate this document in the navigation structure

The Security Assertion Markup Language (SAML) version 2.0 is a standard for the communication of assertions about principals, typically users. The assertion can include the means by which a subject was authenticated, attributes associated with the subject, and an authorization decision for a given resource.

The main benefits of SAML 2.0 are as follows:

  • SSO with SAML 2.0

    SAML provides a standard for cross-domain Single Sign-On (SSO). Other methods exist for enabling cross domain SSO, but they require proprietary solutions to pass authentication information across domains. SAML 2.0 supports identity-provider-initiated SSO as in SAML 1.x. SAML 2.0 also supports service-provider-initiated SSO.

  • SLO with SAML 2.0

    Single Log-Out (SLO) enables users to cleanly close all their sessions in a SAML landscape, even across domains. Not only does this save system resources that would otherwise remain reserved until the sessions time out, but SLO also mitigates the risk of the hijacking of unattended sessions.

  • Identity federation

    Identity federation provides the means to share identity information between partners. To share information about a user, partners must be able to identify the user, even though they may use different identifiers for the same user. The SAML 2.0 standard defines the name identifier (name ID) as the means to establish a common identifier. Once the name ID has been established, the user is said to have a federated identity.

The two main components of a SAML 2.0 landscape are an identity provider and a service provider. The service provider is a system entity that provide a set of Web applications with a common session management, identity management, and trust management. The identity provider is a system entity that manages identity information for principals and provides authentication services to other trusted service providers. In other words, the service providers outsource the job of authenticating the user to the identity provider. The identity provider maintains the list of service providers where the user is logged in and passes on logout requests to those service providers.

The client that is trying to access the resource must be HTTP-compliant.

Prerequisites

You have a SAML 2.0 identity provider in your landscape.

Constraints

The SAP NetWeaver Application Server supports SP lite as defined in Conformance Requirements for the OASIS Security Assertion Markup Language (SAML) V2.0.

Related Information