SAML is designed to work with HTTP, Simple Mail Transfer Protocol, file transfer protocol, and several XML frameworks, including the Simple Object Access Protocol (SOAP) and e-business XML. It provides a standard way to define user authentication and authorization, and attribute information in XML documents.
SAML 被设计用来与 HTTP、简单邮件传送协议(Simple Mail Transfer Protocol)、文件传送协议和几种 XML 框架(包括简单对象访问协议(Simple Object Access Protocol,SOAP)和电子商务 XML)一起工作。它提供了以 XML 文档定义用户认证、授权和属性信息的标准方式。
The main components of SAML include the following:
- Assertions. SAML defines three kinds of assertions, which are declarations of one or more facts about a user (human or computer). Authentication assertions require that the user prove his identity. Attribute assertions contain specific details about the user, such as his credit line. The authorization decision assertion identifies what the user can do (for example, whether he is authorized to buy a certain item).
- 断言。SAML 定义了三种断言类型,都是关于用户(人或计算机)的一个或多个事实的声明。认证断言要求用户证实自己的身份。属性断言包含关于用户的特定细节,如他的信用额度。授权判定断言标识了用户可以做什么(例如,是否授权该用户购买某种产品)。
- Request/response protocol. This defines the way that SAML requests and receives assertions. For example, SAML currently supports SOAP over HTTP. In the future, the SAML request and response format will bind to other communications and transport protocols.
请求/响应协议。这个协议定义了 SAML 请求和接收断言的方式。例如,SAML 目前支持 HTTP 上的 SOAP。将来,SAML 请求和响应格式将绑定到其它通信和传输协议。
- Bindings. This details exactly how SAML requests should map into transport protocols such as SOAP message exchanges over HTTP. 绑定。这个组件确切地详细描述了 SAML 请求应如何映射到诸如 HTTP 上的 SOAP 消息交换之类的传输协议。
- Profiles. These dictate how SAML assertions can be embedded or transported between communicating systems.
概要。这些组件规定了如何将 SAML 断言嵌入通信系统或在通信系统之间传递。
While SAML makes assertions about credentials, it doesn't actually authenticate or authorize users. That is done by an authentication server in conjunction with a Lightweight Directory Access Protocol directory. SAML does link back to the actual authentication and makes its assertion based on the results of that event.
尽管 SAML 进行关于凭证的断言,但实际上它并不对用户进行认证或授权。那是由认证服务器和轻量级目录访问协议(Lightweight Directory Access Protocol)目录一起完成的。SAML 创建到实际认证的链接并根据该事件的结果进行其断言。
In short, SAML enables open and interoperable designs for Web-based, single sign-on service functionality.
简单来说,SAML 支持基于 Web 的开放和可互操作的设计、单点登录服务功能。
In the typical SAML architecture, a SAML-compliant service, called a relying party, sends SAML requests to an issuing authority, which returns SAML assertion responses. All of the requests and responses are transmitted within a SOAP envelope via HTTP, although applications can define and exchange assertions using a variety of request/response protocols. However, those extensions may limit interoperability. For example, when a mobile device client requests access to a back-end application, it sends authentication information to the issuing authority. The issuing authority can then send a positive or negative authentication assertion depending upon the credentials presented by the mobile device client. While the user still has a session with the wireless applications, the issuing authority can use the earlier reference to send an authentication assertion stating that the user was, in fact, authenticated by a particular method at a specific time. As mentioned earlier, location-based authentication can be done at regular time intervals, which means that the issuing authority gives out location-based assertions periodically as long as the user credentials make for a positive authentication.
在典型的 SAML 体系结构中,称为信任方的符合 SAML 的服务将 SAML 请求发送到发行认证机构,该机构返回 SAML 断言响应。所有请求和响应都是通过 HTTP 用 SOAP 封装传送的,但应用程序可以用各种请求/响应协议定义和交换断言。但是,这些扩展会限制互操作性。例如,当移动设备客户机请求访问后端应用程序时,它向发行认证机构发送认证信息。然后,发行认证机构可以根据移动设备客户机提供的凭证发送肯定或否定认证断言。尽管用户仍然拥有与无线应用程序的会话,但是发行认证机构可以使用更早的引用来发送认证断言,声明用户实际上是在特定时间内使用特殊的方法认证的。正如先前提到的,基于位置的认证可以定期进行,这意味着只要对用户凭证的认证是肯定的,发行认证机构就会定期发表基于位置的断言。
下面的 SAML 认证请求。它包含用户凭证(如用户名和加密密码)、认证方法、响应请求、凭证类型和位置信息。
<samlp:Request MajorVersion="1" MinorVersion="0" RequestID="<request id>"> <samlp:RespondWith>AuthenticationStatement </samlp:RespondWith> <samlp:AuthenticationQuery> <saml:Subject> <saml:NameIdentifier Name="<user name>"/> <saml:SubjectConfirmation> <saml:ConfirmationMethod> http://www.oasis-open.org/committies/security/docs/ draft-sstc-core-5/password </saml:ConfirmationMethod> <saml:SubjectConfirmationData> <password> </saml:SubjectConfirmationData> </saml:SubjectConfirmation> <saml:NameIdentifier Name="<location>" /> <saml:SubjectConfirmation> <saml:ConfirmationMethod> <LocationURI> <-- For authenticating location information using a SAML binding profile --> </saml:ConfirmationMethod> <saml:SubjectConfirmationData> <latitude>, <;longitude>,<timestamp>, </saml:SubjectConfirmationData> </saml:SubjectConfirmation> </saml:Subject> </samlp:AuthenticationQuery></samlp:Request>
The response to the above request (shown below) contains the authentication assertion with an attribute/condition that specifies the time period when the authentication is valid. If the authentication information supplied in the request resulted in a successful authentication, a status code of success is sent back to the authentication requestor.
对上述请求的响应(如下所示)包含带有指定认证有效的时间段的属性/条件的认证断言。如果请求中提供的认证信息导致成功的认证,那么就向认证请求方返回一个表示成功的状态码。
<samlp:Response InResponseTo="<request id>" MajorVersion="1" MinorVersion="0" ResponseID="upuSGdmqx7ov01mExYlt+6bDCWE="> <samlp:Status> <samlp:StatusCode Value="samlp:Success"/> </samlp:Status> <saml:Assertion AssertionID="+1UyxJDBUza+ao+LqMrE98wmhAI=" IssueInstant="2002-10-03T14:33:58.456" Issuer="SunONE" MajorVersion="1" MinorVersion="0"> <saml:Conditions NotBefore="2002-10-03T14:33:58.466" NotOnOrAfter="2002-10-03T15:03:58.466"/> <saml:AuthenticationStatement AuthenticationInstant="2002-10-03T14:33:55.201" AuthenticationMethod="http://www.oasis-open.org/committies/security/ docs/draft-sstc-core-25/password"> <saml:Subject> <saml:NameIdentifier Name="<user>" /> <saml:SubjectConfirmation> <saml:ConfirmationMethod> http://www.oasis-open.org/committies/security/docs/ draft-sstc-core-25/password </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> <saml:AuthenticationStatement AuthenticationInstant="2002-10-03T14:33:55.205" AuthenticationMethod="<LocationURI>" > <saml:Subject> <saml:NameIdentifier Name="<location>" /> <saml:SubjectConfirmation> <saml:ConfirmationMethod> <LocationURI> </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion></samlp:Response>
In conclusion
As we can see, even though specifying security assertions in XML may not make much sense for a limited bandwidth wireless network, the advantages far outweigh its bandwidth overhead. XML is also the communication data format of choice for the new generation of open, interoperable Web services applications for security services. SAML provides a much-needed interoperability between compliant Web access management and security products for wireless applications. Adding location information for authentication and authorization to the existing wireless security mechanisms is a value-added proposition for information assurance.
小结
如我们所见,虽然用 XML 指定安全性断言(SAML)对无线网络没有特别大的意义,其好处却远超过带宽开销。XML 也是用于安全性服务的新一代开放的、可互操作的 Web 服务应用程序的通信数据格式选择。SAML 为无线应用程序提供了符合 Web 访问管理和安全性产品之间急需的互操作性。将用于认证与授权的位置信息添加到现有无线安全性机制,是信息保证的增值提议。