SAML concepts

SAML is an XML-based, OASIS standard for exchanging user identity and security attributes information. In a typical SAML usage scenario, you authenticate to a security domain and request an identity provider to issue SAML assertions.

The SAML assertions are presented to a security provider when you request access to business resources. In many cases, the services provider and identity provider are in different security domains, meaning that you must authenticate to an identity provider user directory, which is not the same as the user directory of the service provider. WebSphere Application Server multiple security domain support allows a service provider to assert user identity and security attributes to a local security domain, which is based on trust relationship without requiring identity mapping. We can use the SAML function to quickly build a Single Sign-On (SSO) solution across enterprises and across the Internet with industry standard SAML security tokens.

See the following topics to learn about the product SAML function.

Subtopics

• SAML assertions defined in the SAML Token Profile standard
  The Web Services Security SAML Token Profile OASIS standard specifies how to use Security Assertion Markup Language (SAML) assertions with the Web Services Security SOAP Message Security specification.

• Default policy sets and sample bindings for SAML
  SAML-specific default policy sets and general bindings are provided when the SAML function is installed. These policy sets and sample general bindings are used to request SAML tokens from an external Security Token Service (STS), and to propagate SAML tokens to downstream web services.

• Overview of APIs for SAML
  WebSphere Application Server support for SAML provides public APIs that we can use to build SAML token aware applications.

• SAML usage scenarios
  SAML function is described through four basic usage scenarios. The first three scenarios demonstrate web services single sign-on, configured using a policy set. The fourth scenario describes custom SAML single sign-on, which we can build using the SAML API and the trust client API. The scenarios demonstrate using SAML building blocks and APIs to authenticate to a Security Token Service (STS), request SAML tokens, and implement the SAML tokens to obtain access to business services.

• Limitations of the SAML implementation
  Limitations of the SAML implementation are described. These limitations refer to functions that are currently implemented and supported by WebSphere Application Server Version 8.0 and later.