SAML profiles (Federation)
SAML profiles combine protocols, assertions, and bindings to create a federation and enable federated single sign-on. The following profiles are supported:
- Web browser single sign-on
Provides options regarding the initiation of the message flow and the transport of the messages:
- Message flow initiation
- The message flow can be initiated from the identity provider or the service provider.
- Bindings (transports)
- HTTP redirect
- HTTP POST
- HTTP artifact
The choice of binding depends on the type of messages being sent. For example, an authentication request message can be sent from a service provider to an identity provider using HTTP redirect, HTTP POST, or HTTP artifact. The response message can be sent from an identity provider to a service provider by using either HTTP POST or HTTP artifact. A pair of partners in a federation does not need to use the same binding.
- Single Logout
- Used to terminate all the login sessions currently active for a specified user within the federation. A user who achieves single sign-on to a federation establishes sessions with more than one participant in the federation. The sessions are managed by a session authority, which in many cases is an identity provider. When the user wants to end sessions with all session participants, the session authority can use the single logout profile to globally terminate all active sessions.
- Message flow initiation
- The message flow can be initiated from the identity provider or the service provider.
- Bindings (transports)
- HTTP redirect
- HTTP POST
- HTTP artifact
- SOAP
- Name Identifier Management
- Used by identity or service providers to inform their partners when there is a change in user aliases. This profile can also be used by providers to terminate user linkages at the partners. The Federation module uses the alias service, which stores and retrieves federated identity aliases. User aliases are stored and retrieved from high-volume database.
- Message flow initiation
- The message flow can be initiated from the identity provider or the service provider.
- Bindings (transports)
- HTTP redirect
- HTTP POST
- HTTP artifact
- SOAP
Parent topic: SAML Federations Overview