Identity Systems – Distributing Authentication and Authorization

Any identity system which is automated needs some way of both creating and distributing authorization and authentication assertions.  One of the most famous is of course Kerberos, which has it’s own methods for dealing with this requirement.  However many digital systems are now starting to use SAML – the Security Assertion Markup Language – it’s becoming the de facto security credential standard.

SAML of course uses XML as a standard to represent security credentials, but it also defines a protocol for requesting and receiving the credential data from an authority services (SAML based).   One of the key benefits to SAML is that using it is pretty straight forward, this fact alone has increased it’s usage considerably.    A client will make a request about a subject through  to  the SAML authority.   The authority in turn makes assertions about the identity of the subject in regards to a particular security domain.   To take an example – the subject could be identified by an email address linked to it’s originating DNS domain, this is just one simple example though.

So what exactly is a SAML authority?  Well it is quite simply a service (usually online) that responds to SAML requests.   These SAML requests are called assertions. There are three different types of SAML authorities which can be queried – authentication authorities, attribute authorities and policy decision points (PDPs).  These types of authorities all return distinct types of assertions –

  • SAML authentication assertions
  • SAML attribute assertions
  • SAML authorization assertions

Although there are three different definitions here, in practice most authorities are set up to produce each type of assertions.  Sometimes in very specific applications, you’ll find an authority that is designed to only produce a specific subset but this is quite rare especially in online applications – although they’re sometimes used as proxy authorisation – see this.  All of them contain certain elements however like IDs for issuers, time stamps, assertion IDs, subjects including security domains and names.

Each SAML attribute request will begin using a standard syntax – <samlp:Request…..> – the content then would refer to the specific parts of the request.  This could be virtually anything but in practice it’s often something straight forward like asking which department or domain an email is associated with.

Source : Sam Wilkin – IT Consultant