SAML 1.1

ISAM supports SAML 1.1.

If you and the partner choose to use SAML 1.1 in the federation, we need to understand the SAML 1.1 support provided in IBM Security Verify Access.

Assertions

The assertions created by IBM Security Verify Access contain authentication statements, which assert the principal (the entity requesting access) was authenticated. Assertions can also carry attributes about the user the identity provider wants to make available to the service provider.

Assertions are usually passed from the identity provider to the service provider. The following variables control the content of the assertions created by IBM Security Verify Access:

Identity mapping specifies how identities are mapped between federation partners.

The IBM ISAM identity mapping method can either be a custom mapping module or a JavaScript mapping rule.

Protocol

In IBM Security Verify Access, SAML 1.1 uses a simple request-response protocol to make authentication requests.

Binding

SAML 1.1 uses both plain HTTP (using browser redirects) or SOAP for the transportation of messages. The profile used in the federation further specifies how the communication of the messages takes place.

Profiles

SAML 1.1 specifies two options for profiles:

ISAM supports browser artifact by default when we select SAML 1.1 as the profile for the federation. However, we can use browser POST in the federation on a per-partner basis. For example, if we are a service provider, we can specify that your identity provider partner uses Browser POST when we configure that partner. If we are an identity provider, we can enable the IBM PROTOCOL extension when configuring a SAML 1.1 federation.

The URL used to initiate single sign-on differs depending on whether the identity provider is using this extension. For information about URLs, see SAML 1.1 initial URL.


Parent topic: SAML Federations Overview