SAML 2.0 (conceptual information)

SAML (Security Assertion Markup Language) is an XML-based framework for cross-domain single sign-on. SAML is an open standard defined by OASIS.

  • Basically, SAML defines three roles:
  • Principal: An entity (typically a user) signing in to one or more applications.
  • IDP (Identity Provider): The entity which authenticates the principals.
  • SP (Service Provider): One of the applications to which the principals sign in.
  • Throughout this documentation, we use the terms principal and user as synonyms.

  1. A typical scenario for a user trying to access a service on the SP:
  2. If the principal has not yet been authenticated at the SP, it is redirected by the SP to the IDP.
  3. The IDP authenticates the user.
  4. The IDP issues a SAML assertion for the principal. 
  5. The SAML assertion is validated in the SP and access to the service is granted.

A SAML assertion issued by the IDP can only be used to access a specific SP.

SAML support in Airlock IAM

Airlock IAM supports SAML 2.0 and can be for both IDP and SP. It is possible to configure a single instance of Airlock IAM with one IDP and multiple SPs simultaneously.

  • IAM supports the following SAML features:
  • IDP and SP
  • Web browser SSO (single sign-on)
  • IDP-initiated SSO
  • SP-initiated SSO
  • Single logout
  • POST binding
  • HTTP artifact binding

Configuration Contexts should not be used in SAML plugins, both for the IDP and SP.

The underlying SAML library does not support configuration depending on contexts. Therefore, the separation of SAML entities via contexts might not work as expected.