The Http://baike.baidu.com/view/758527.htm?fr=aladdinSAML is the security Assertion markup Language, and the English name is assertion Markup Language. It is an XML-based standard for exchanging authentication and authorization data between different security domains. The SAML standard defines identity providers (identities provider) and service providers (services provider), which make up the different security domains described earlier. SAML is a product of the Oasis organization Security Services Technical Committee (Technical Committee). Directory
-
1 definitions
-
2 background
-
3SAML function
-
4SAML Frame
-
5 safe
-
6SAML Support
1 definition edits SAML (Security assertion Markup Language) is an XML framework, which is a set of protocols and specifications that can be used to transfer enterprise user identity certificates, primarily across domains of identities outside the enterprise. For example, the company (IDP) users to access the SaaS application (SP), in order to ensure identity security, we can adopt in addition to encryption signature measures, but also to use the SAML specification, the transmission of data in XML form, content in accordance with the SAML recommendation standards, This way we can not ask the IDP and SP what kind of system, only need to understand the SAML specification, obviously better than the traditional way. The SAML specification is a set of schema definitions. It can be said that in the Web Service domain, the schema is the norm, in the Java domain, the API is the specification.2 background editing Security is an important factor to consider for all Web projects at design time. Whether you choose the shortest password, decide when to use SSL to encrypt HTTP sessions, or identify users by automatically logging in to cookies, you often have to make significant design efforts to protect users ' identities and other information that they may have on the Web site. Bad security can lead to a PR catastrophe. When end users strive to maintain control over their personal information, they face a confusing privacy policy, keeping in mind the different passwords of many sites and encountering "phishing attacks" events. At the macro level, digital identities have caused many complex technical and social problems, and some groups in the industry, such as Liberty Alliance and Identitygang, are trying to solve them by developing new technical standards. On a smaller scale, you can use tools to provide better security for your users. Please consider password management issues. Users visit the Web site where they keep their personal data and must be authenticated before they can access their data. Authenticate users by verifying that they are the users they claim to be. The simplest way to verify is to use a password. However, if each site requires its own set of passwords, the user will have a large number of passwords that are difficult to control. In 1998, Microsoft first tried to provide a global solution to the problem through its Passport Network. Passport makes it possible for any Web site to use personal data (such as user name, address, credit card number) submitted to a passport by a user. Passport is the first e-commerce attempt of single sign-on (Sign-on,sso). It is not popular, in part because of concerns about the system's closeness. However, the concept of SSO is very compelling, and many open standards and business plans follow passport later. With SSO, a Web site can share user identity information with other sites. SSO is particularly useful for businesses that use app service provider (application service provider,asp) software services. The ASP hosts the application on its own server and sells its access as a service. The company can manage its own users and passwords in its standard directory server, and then grant users access to ASP applications through SSO. SSO allows companies to manage their own users ' information without having to maintain multiple user accounts for each employee. For users, the benefit of SSO is that they can use a user name and password in multiple applications, and there is no need to re-authenticate when switching between applications. SSO is not just for Web applications, it can be used with any type of application, as long as there is a protocol that securely transmits identity information. The open standard for this type of communication is Security Assertion Markup Language (SAML). The application of SAML has been promoted faster with the development of cloud computing. More and more companies areIndustry realizes that maintaining a set of usernames and passwords at every SaaS vendor is a time-consuming and laborious task, seeking to extend identity authentication within the enterprise to SaaS applications. With leading SaaS applications like Google, Salesforce offers a single sign-on interface for SAML. Sun has launched an open source Java project Opensso, which looks like a once-in-a-kind vision, and with Oracle's takeover, the project seems to be stranded (Oracle has its own SAML-enabled commercial platform). IBM,CA, etc., have launched their own products. Microsoft's ADFS claims support for SAML 2.0 (1.1 not supported). The common feature of these products is that the compatibility is not high, and their product line combination is good, but with other manufacturers of product interconnection has limitations. The rise is a pingidentity in Denver, a U.S.-based company. It launched the Pingfederate, based on the Java platform, in addition to supporting SAML 2.0 and 1.1, but also support Ws-federation (Microsoft main push), in the last two years, the release of support OAuth version (6.6 later). In addition to products, the company also network with a group of industry veteran, actively participate in the SAML standard formulation and application promotion. As you can see, SAML applications are strongly supported by leading enterprise and SaaS application vendors, and hundreds of SaaS vendors now [1] claim to support SAML Single sign-on.3saml role edit There are three main aspects of SAML: 1. Certification statement. Indicates whether the user is authenticated and is typically used for single sign-on. 2. Property declaration. Indicates a property of a subject. 3. Authorization statement. Indicates the permissions for a resource.4SAML framework editing Simply put, SAML is the one in which the other party sends the SAML request, and the other side returns the SAML response. The data is transmitted in an XML format that conforms to the SAML specification. Either side of the connection can initiate the request, depending on the identity, either IDP init request or SP init request. Here is an example of pingfederate, an industry-leading manufacturer of SAML, that describes IDP Init SSO (The detailed process can be found in resources). This is when the user logs on to the IDP domain via LDAP, and the IDP generates a SAML asseration for the logged-in user, which includes the employee's identity information. After this information is passed to the SP via SSL encryption, the SP verifies the signature, resolves that this is a request from an employee of a company, and to access one of its applications (RELAYSTAT), the SP continues to pass the request to its own application, which determines the authorization. <response destination= "<HTTP_PROTOCOL>://SP:9031/SP/ACS.SAML2" issueinstant= "2011-06-21T18:45:05.541Z" Id= "Mlfj46z1ac5.og0xruqng9i9pza" version= "2.0" xmlns= "Urn:oasis:names:tc:saml:2.0:protocol" xmlns:saml= "urn:oasis : Names:tc:saml:2.0:assertion "xmlns:ds=" 5 Safe editing Because SAML establishes a trust relationship between two sites that have shared users, security is a very important factor to consider. Security weaknesses in SAML can compromise the user's personal information at the target site. SAML relies on a number of well-established security standards, including SSL and +/-, to secure communication between the SAML source site and the target site. All communication between the source site and the target site is encrypted. Certificates are also used to ensure that both sites that participate in SAML interactions can authenticate each other's identities.6SAML support editing BEA WebLogic Server 9.0 is the first version of WebLogic server that contains support for SAML. Support for SAML is further enhanced in WebLogic Server 9.1. WebLogic server uses SAML as part of the WebLogic Security service. SAML is used to provide SSO support for WebLogic Web services and sharing authentication information across WebLogic domains. In addition to SAML, WebLogic Server supports the simple and Protected Negotiate (SPNEGO) protocol for Windows desktop SSO. SAML can be used to provide permissions to access Web applications and Web service. For some applications, you can use SAML support in WebLogic server with little or no additional programming effort. If a user application uses security settings that are configured as part of the WebLogic security domain, then integrated SAML is a primary system administration task. WebLogic server can be configured as a SAML source site or a SAML target site. To make the server a SAML source site, you need to configure a SAML credential Mapper. To make the server a SAML target site, you configure a SAML Identity asserter. If the user application security mode interacts with the WebLogic Security Service, contains its own WebLogic-specific code, This customization can be extended to SAML using WebLogic's SAML API. The API provides programmatic access to the main components of the WebLogic SAML service. Users can use the application's own business logic to extend classes such as Samlcredentialnamemapper and Samlidentityassertionnamemapper. Once users have their own custom classes, the WebLogic Management console allows users to configure their SAML credential Mapper (source site) or SAML Identity Asserter (the target site) to use those classes. The only requirement is that the user's custom class needs to be in the system classpath, very similar to the WebLogic startup class, which can have an impact on the user deployment strategy. Finally, if the application security model is completely independent of the WebLogic security Service, users will not be able to benefit from WebLogic's SAML tools. Users want to make their applications supportSAML needs to do more, either to implement a simplified version of some of the services provided by WebLogic, or to integrate the third-party versions of those services. However, users will still benefit from the use of SAML on any Java EE application Server, or on a Web server application such as Tomcat. There are commercial and open source SAML support options available. There are OPENSAML and related shibboleth projects in the open source selection. Opensaml is a SAML toolkit that can be used to build a user's own SAML source and target sites. Shibboleth Further, it provides a "SAML 1.1-based cross-domain Web single sign-on platform" built on Opensaml. SourceID provides a set of open source toolkits for SAML 1.1 in Java and. Net. There is no full SAML toolkit under the Apache project, but the WSS4J project contains some support for Opensaml. Category: wiki
Saml-sso (EXT)