2.4. SAML2

SAML2 is version 2 of SAML (Security Assertion Markup Language), an XML-based standard for exchanging authentication and authorization data. The document of SAML2 Specifications is available here.

According to SAML2 Specifications, two parties which exchange authentication and authorization data are called SP (Service Provider) and IDP (Identity Provider). IDP issues the security assertion and SP consumes it. The following scenario describes a SAML2 exchange:

  1. A user, via web browser, requests a resource at the SP.

  2. The SP checks and finds no security context for the request, then it redirects to the SSO service.

  3. The browser requests the SSO service at IDP.

  4. The IDP responds with an XHTML form after performing security check and identifying the user. The form contains SAMLResponse value.

  5. The browser requests assertion consumer service at the SP.

  6. The consumer service processes the SAMLResponse, creates a security context and redirects to the target resource.

  7. The browser requests target resource again.

  8. The SP finds a security context, so it returns the target resource.

In this document, two addresses, www.sp.com and www.idp.com, and folders with name $PLATFORM_* are used to respectively represent URLs and home folders of SP and IDP.

eXo Platform can perform both roles SP and IDP; thus, it can integrate with services like Salesforce and Google Apps. See the following subjects:

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus