Security Assertion Markup Language (SAML 2.

0)
Implementation with Active Directory Federation
Services(AD FS)

INTRODUCTION
Single Sign-On: Over the years, various products have been marketed with the claim of providing
support for web-based SSO. These products have typically relied on browser cookies to maintain
user authentication state information so that re-authentication is not required each time the web user
accesses the system. However, since browser cookies are never transmitted between DNS domains,
the authentication state information in the cookies from one domain is never available to another
domain. Therefore, these products have typically supported multi-domain SSO (MDSSO) through
the use of proprietary mechanisms to pass the authentication state information between the domains.
While the use of a single vendor's product may sometimes be viable within a single enterprise,
business partners usually have heterogeneous environments that make the use of proprietary
protocols impractical for MDSSO. SAML solves the MDSSO problem by providing a standard
vendor-independent grammar and protocol for transferring information about a user from one web
server to another independent of the server DNS domains.

What is SAML and how it works.

Single Sign On (SSO) is a property of access control of multiple related, but independent
software systems. With this property a user logs in once and gains access to all systems without
being prompted to log in again at each of them.
As different applications and resources support different authentication mechanisms, single sign-on
must internally translate and store credentials for the different mechanisms, from the credential used
for initial authentication.

Security Assertion Markup Language

SAML() is an open , XML-based standard for web browser single sign-on. It provide a
solution for exchanging user security information between an enterprise and a service provider.
Simply, with SAML a user can login to one system in an environment, and then will be able access
to other systems in that environment without needing to login again (until the web browser session
is ended).

SAML Roles:
There are three entities involved with SAML Web Browser SSO - Identity Provider (IdP),
Service Provider (SP), and an end-user. The Identity Provider maintains a directory of users and an
authentication mechanism to authenticate them. The Service Provider is the target application that a
user tries to use. The user must be registered in the IdP.

Img.1. SAML2.0 diagram.

1. User access the Service Provider with SAML secured application.

2. The SP sends a request to a pre-registered IdP for authentication.
3. If user is not authenticated yet, IdP interacts with user to ask for credentials.
4. IdP sends a response to SP with the token for the user.

Img2. SAML2.0 Arhitecture

SAML 2.0 defines XML-based assertions and protocols, bindings, and profiles.

Assertions
Assertions contains statements that the Service Providers use for access-control decisions.
Assertions are usually requested from an Identity Provider by a Service Provider. SAML defines
three types of statements:

1. Authentication assertions - The assertion subject was authenticated at a given time via an
authentication mechanism
2. Attribute assertions - The assertion subject is associated with the supplied attributes
3. Authorization decision assertions - A request to allow the assertion subject to access the
specified resource has been granted or denied

Protocols
SAML 2.0 has introduced considerable improvements and additions over SAML 1.1 and is not
backward-compatible. SAML 2.0 core provides the following protocols:

Authentication Request Protocol - When a principal/user wishes to obtain assertions

containing authentication statements to establish a security context at one or more relying
parties, it can use the authentication request

Assertion Query and Request Protocol - Messages and processing rules for requesting
existing assertions by reference or querying for assertions by subject and statement type.

Artifact Resolution Protocol - Provides a mechanism by which SAML protocol messages

can be transported in an SAML binding by reference instead of by value

Name Identifier Management Protocol - Provides a way to inform the service providers
that the names and format of the subject or the issuer are changed;

Name Identifier Mapping Protocol - To map identity of a user across different SPs with
the consent of the issuing authority;

Single Logout Protocol - Provides a message exchange protocol by which all sessions
provided by a particular session authority are terminated

Bindings

HTTP Redirect Binding;

HTTP Post Binding;

HTTP Artifact Binding;

SAML SOAP Binding;

Reverse SOAP(PAOS) Binding;

SAML URI Binding;

Profiles
SAML profiles define the use of SAML assertions and request-response messages in
communication protocols and frameworks.

Web Browser SSO Profile

Single Logout Profile

Assertion Query/Request Profile

Identity Provider Discovery Profile

Enhanced Client or Proxy (ECP) Profile;

Name Identifier Management Profile;

Name Identifier Mapping Profile.

Benefits of SAML

No vendor lock-in - Since SAML is an Open standard you can switch vendor without an
impact to the user experience

User password never crosses the corporate firewall (in the case of IdP initiated SAML SSO)

Reusable - Several SPs can connect one IdP for authentication, and one SP can connect to
several IdPs

Better accessibility

Eliminates additional credentials, which eliminates opportunities for identity theft

Eliminates phishing opportunities by reducing the number of times the user needs to log in;

Eliminates the administration and development cost of implementing a proprietary SSO

solution.

The SAML Use Case.

Roles :
1. Service Provider
Edifecs TM business application for Healthcare that provide end-to-end visibility and
insight into the entire lifecycle of a healthcare electronic transaction (EDI) from eligibility,
authorization, and claim processing through to payment.
2. Identity Provider - Active Directory Federation Services (AD FS).
(AD FS) is a software component developed by Microsoft that can be installed on Windows
Server operating systems to provide users with single sign-on access to systems and
applications located across organizational boundaries. It uses a claims-based access control
authorization model to maintain application security and implement federated identity.
3. User Agent.
A person that access TM application .

A trusted connection between SP and IdP is set using a Keystore.

Using Java keytool is generated a keystore with a public and private key pair and a self-signed
certificate for SP.

Img.3. SAML2.0 Workflow.

1. Request the target resource at the SP (SAML 2.0 only)

The user (via an HTTP user agent) requests a target resource at the service provider:
https://sp.edifecs.com/tm
The service provider performs a security check on behalf of the target resource. If a valid security
context at the service provider already exists, skip steps 27.
2. Redirect to the SSO Service at the IdP (SAML 2.0 only)
The service provider determines the user's preferred identity provider (by unspecified means) and
redirects the user agent to the SSO Service at the identity provider:
https://adfs.edifecs.com/SAML2/SSO/Redirect?SAMLRequest=request

The value of the SAMLRequest parameter is the Base64 encoding of a deflated

<samlp:AuthnRequest> element.
3. Request the SSO Service at the IdP (SAML 2.0 only)
The user agent issues a GET request to the SSO service at the identity provider where the value of
the SAMLRequest parameter is taken from the URL query string at step 2. The SSO service
processes the AuthnRequest and performs a security check. If the user does not have a valid security
context, the identity provider identifies the user (details omitted).
4. Respond with an XHTML form
The SSO service validates the request and responds with a document containing an XHTML form.
5. Request the Assertion Consumer Service at the SP
The user agent issues a POST request to the assertion consumer service at the service provider. The
value of the SAMLResponse parameter is taken from the XHTML form at step 4.
6. Redirect to the target resource
The assertion consumer service processes the response, creates a security context at the service
provider and redirects the user agent to the target resource.
7. Request the target resource at the SP again
The user agent requests the target resource at the service provider (again):
https://sp.edifecs.com/tm
8. Respond with requested resource
Since a security context exists, the service provider returns the resource to the user agent.