SAML is very useful in single sign-on: in the SAML protocol, once the user's identity is authenticated by the main website (identity authentication server, Identity Provider, IDP), the user can then access other websites on the main website. For registered applications (Service Providers, SP), you can log in directly without having to enter your identity and password.
SAML itself is a very complex protocol. Here we only select the most important parts to explain it to you. For more details, please see the official documentation, and subsequent articles will further analyze it.
The SP sends a SAML identity authentication request message to the IDP to request the IDP to authenticate the user's identity; the IDP asks the user for the user name and password and verifies whether they are correct. If the verification is correct, it returns a SAML identity authentication response to the SP. , indicating that the user has successfully logged in. In addition, the response also includes some additional information to ensure that the response has been tampered with and forged.
Let's take a look at the workflow of SAML by taking the user logging into the SP and the SP making a request to the IDP to confirm the user's identity. For example, SP is Google Apps, IDP is a university's identity server, and Alice is a student of the university.
Now Alice wants to check her email through the browser. Alice usually visits a web page through the browser, such as /a/my-university.nl (step1). Because this is a federated identity domain, Google will not ask the user for a username and password, but will direct them to the IDP to authenticate their identity (step 3). The URL to which the user is redirected is similar to this:
The SAMLRequest embedded in the HTTP request is the SAML authentication request message. Because SAML is based on XML (usually longer), the complete authentication request message must be compressed (to save space for the URL) and encoded (to prevent special characters) before it can be transmitted. Before compression and encoding, the SAML message has the following format:
The above content is explained in the most straightforward way: this request from Google, please verify the identity of the current user and return the result.
When the IDP receives the message and confirms that it wants to accept the authentication request, it will ask Alice to enter a username and password to verify her identity (if Alice has already logged in, this step will be skipped); when the verification After passing, Alice's browser will jump back to Google's specific page (AssertionConsumerService, referred to as ACS, step6). Similarly, the content of the SAML authentication response is compressed and encoded and transmitted in the form of parameters. Before compression and encoding, its structure class is as follows:
Although there is a lot of content, its main expression is: This message comes from idp.uni.nl, and the identity of the user named Alice has been verified by me. The message is valid for 2 minutes. In addition, the redirected URL must contain the signature of the message to ensure that it is not tampered with. The public key and algorithm for verifying the signature are negotiated in advance by the IDP and the SP.
When Google receives the SAML authentication response, it will first verify whether the signature of the message is correct (step 7) and whether it has expired due to timeout. Then Google can identify the user identity (NameID, Alice) extracted from the authentication message. If the above steps are successful, the user will successfully log in to Google (Step 8).
In order to facilitate explanation, the information in the above examples has been kept readable. If you want to see the real SAML information, it is recommended to use the plug-in tool SAML tracer of Firefox browser. This plug-in will add a window to the browser to display SAML messages. The following is a screenshot:
I hope the above content can help you understand the SAML protocol. The content of the SAML protocol is very complex, but the content related to single sign-on is based on the above content.
For more information about the implementation of the SAML protocol, please refer to a series of tutorial articles written by me to introduce how to use OpenSAML. Welcome to read and correct me: