SAML stands for Security Assertion Markup Language, which is an XML based data format for exchanging authentication and authorization data between an identity provider and a service provider. The single most important requirement that SAML addresses is web browser single sign-on (SSO). Three main roles are defined in SAML Specification.
- The Principal: This is typically the user who tries to access a protected resource or service of a service provider.
- The Identity Provider: An Identity Provider (IdP) is responsible for authenticating users and issuing assertions which include authentication/authorization decisions and user attributes.
- The Service Provider: A Service Provider(SP) consumes the assertions issued by Identity Provider and provides services to the principals.
The main use case scenario covered by SAML is the Principal (the user) requesting access to resource or service from the Service Provider. Then the Service Provider, using SAML, communicates with the Identity Provider to obtain identity assertion. The Service Provider makes the access control decision, depending on this assertion.
SAML 2.0 is the latest version of SAML, which uses security tokens containing assertions to pass information about a user between an identity provider and a service provider.
This section covers the following topics.
- Configuring API Manager for SSO
- Configuring External IDP through Identity Server for SSO
- Configuring Identity Server as IDP for SSO
For more information on SAML related terminologies discussed in the sections above, go to Assertions and Protocols for the OASIS SAML 2.0 documentation.