Current location - Quotes Website - Personality signature - What is SAML?
What is SAML?
SAML is a security assertion markup language, and the English full name is security assertion markup language. It is an XML-based standard for exchanging authentication and authorization data between different security domains. Identity provider and service provider are defined in SAML standard, which constitute the above different security domains. SAML is the product of OASIS security service technical Committee.

Saml (Security Assertion Markup Language) is an XML framework, that is, a set of protocols that can be used to transmit security assertions. For example, if two remote machines want to communicate, in order to ensure security, we can take measures such as encryption or use SAML to transmit data. The transmitted data is in the form of XML, which conforms to the SAML specification, so we don't need what kind of system the two computers use, just need to understand the SAML specification, which is obviously better than the traditional way. SAML specification is a set of schema definitions.

It can be said that in the field of Web services, schema is specification, and in the field of Java, API is specification.

The most important requirement that SAML solves is web browser single sign-on (SSO). Single sign-on is common at the intranet level (for example, using Cookie), but extending it outside the intranet has always been a problem, and it has led to a proliferation of proprietary technologies that are not interoperable. Another latest solution to the browser single sign-on problem is OpenID connection protocol. )

SAML mainly includes three aspects:

1. certification statement. Indicates whether the user has been authenticated, usually for single sign-on.

2. Attribute declaration. Represents the properties of a theme.

3. Authorization statement. Indicates the permissions of the resource.

SAML means that the customer sends a SAML request to the server, and then the server returns a SAML response. The transmission of data is expressed in XML format conforming to SAML specification.

SAML can be transmitted through SOAP or other protocols.

Because the specification of SAML consists of several parts: SAML assertion, SAML Prototol, SAML binding and so on.

Because SAML establishes a trust relationship between two sites with * * * users, security is a very important consideration. Security flaws in SAML may endanger the personal information of users in the target site. SAML relies on many mature security standards, including SSL and X.509, to protect the communication security between SAML source site and target site. All communication between the source site and the target site is encrypted. In order to ensure that two sites participating in SAML interaction can verify each other's identities, certificates are also used.

In SAML protocol, the security design of the protocol is very complete, including the interaction flow of client, SP and IDP defined in the protocol, and the key interaction data in SAML have been signed and encrypted by password.

1. Sign SAML data.

In order to effectively ensure that the data in the process of SAML interaction is not forged and tampered with, it supports signing any SAML data. Especially the important SAML authentication assertion.

Specifically, this project adopts X.509 format digital certificate for signature, RSA public key encryption algorithm and SHA-256 hash algorithm, and the key length is 1024 bits.

2.2 security design. SAML authentication assertion: encryption and assertion validity.

SAML authentication assertion contains a lot of user account information, so it is necessary to encrypt it.

The encryption of SAML authentication assertion also supports a variety of symmetric encryption algorithms, including state secret algorithm and AES algorithm. This project adopts AES algorithm, and the key length is 1024 bits, which can effectively ensure the confidentiality of SAML authentication assertion.

In addition, in order to prevent replay attack, the validity period of authentication assertion is also limited in the design, and the validity period of authentication assertion can be configured, so it is recommended to use a shorter validity period.

First, you need to know some basic service providers:

IDP: Service providers of account authentication, such as Saifu IDaaS as IDP, mainly complete authentication.

SP: Software (entity) that provides commercial services to users, such as Zen Buddhism.

Browser: the user's browser, through which the user can access resources and make relevant jumps to complete identity authentication.

"User login address", the login path of the applied SAML protocol.

"relayState Address", the jump address after successful application authentication.

"AssertionConsumerServiceUrl", where the application receives unified authentication.

The following is a brief introduction to the process of logging in to WebApp 1 using SAML-based SSO.

This picture illustrates the following steps.

User attempted to access WebApp 1.

Related articles: What is SSO?