SAML 2.0 and Federation

Not an RFC standard.

  • Service Provider (SP)

  • Identity Provider (IdP)

SAML Assertions contains

  • timestamp

  • issuer

  • subject

  • conditions

  1. Authentication statements

  2. Attribute statements

  3. Authorization decision statements

Assertions can be signed and/or encrypted

Sign-in flows

  • SP-initiated sign-in: Triggered when the user tries to access a specific SAML-protected resource directly and the SP redirects the user to the IdP. The context of which specific resource the user requests access to is included.

  • IdP-initiated sign-in: Triggered when the user visits the IdP och then redirects to the SP. Since no context is included on which specific resource is being requested, the user will be redirected to a generic landing page on the SP.

Warning: The IdP-initiated sign-in is susceptible to Man-in-the-Middle attacks as the the

Sources