SAML stands for Security Assertion Markup Language. It is a standard that defines the framework for communication of authentication and authorization details between services that could be located geographically different places and owned by different business. You must have visited some sites from the MSN or Yahoo site that uses your already authenticated user id to provide their services. To give you a more concrete example, let us take an online airline ticketing system. This system apart from helping you book your tickets provides the ability to book hotel rooms. Now the airline system may have tie up with different hotel business partners who have their own room reservation services. So when you login into the airline reservation system, and you want to book a hotel room, your authentication and authorization information is sent as part of the request to the hotel reservation service. The hotel reservation service trusts the requests from the airline reservation system (a contract is established) and uses that information to book you a room. The concept of using a single authentication mechanism across business boundries is called “Single Sign On” (SSO). SAML helps in achieving SSO.

A good example here would be the MSN or Yahoo site, where you have different categories of service and you can switch between them without the need to login everytime you switch between these categories. SSO is achieved by different proprietary security tools, but what if the different services use different security tools? SAML comes to your help in this case.

To explain this, consider another scenario. You have services that interact with each other and span across domains and hosted by different parties. In each service you have registered under different email id. Assume the same airline and hotel reservation services. The mail id you have registered in the airline reservation system might be jamesbond@detective.com and in the hotel reservation system it might bond007@goldeneye.com. SAML allows you to link these two and tell the service provider that it is James Bond for whom the reservation is required and his mail id registered in your service is bond007@goldeneye.com. This concept of name identifier management across domains with SSO is called ‘Federated Services’.

SAML is based on XML standards created by OASIS and is part of the message that is used between the services. A SAML request/response has two parties. The party that sends security information about a user is called the “Identity Provider”. The party that recieves the security information and uses it to provide the service is called the “Service Provider”. The Identity Provider not only can send the authentication information but authorization and user profile information that may be of use to the service provider. For example the request sent by the airline reservation system to the hotel reservation service could be that the user is a gold member, so provide some discount on the room tarrif or provide with a first class suite. Look at some sample SAML XML’s on Wikipedia.