The SAML specifications provide a system of building blocks and support components for achieving secure data exchange in an identity federation. These include:
- Authentication Context
Assertions are XML documents sent from an IdP to an SP. Each assertion contains identifying information about a user who has initiated an SSO request.
A SAML binding describes the way messages are exchanged using transport protocols. PingFederate supports the following bindings:
- HTTP POST
- Describes how SAML messages are transported in HTML form-control content, which uses a base-64 format.
- HTTP Artifact
- Describes how to use an artifact to represent a SAML message. The artifact can be transported via an HTML form control or a query string in the URL.
- HTTP Redirect (SAML 2.0)
- Describes how SAML messages are transported using HTTP 302 status-code response messages.
- SOAP (SAML 2.0)
- Describes how SAML messages are to be transferred across the back channel (Simple Object Access Protocol).
Profiles describe processes and message flows combining assertions, request/response message specifications, and bindings to achieve a specific desired functionality or use case. Profiles define the application of the specifications and therefore play a large part in PingFederate.
SAML 2.0 defines an XML schema to standardize metadata to facilitate the exchange of configuration information among federation partners. This information includes, for example, profile and binding support, connection endpoints, and certificate information.
Whether you are publishing or consuming metadata, PingFederate supports the use of XML digital signatures to ensure the integrity of the data.
Before allowing access to a protected resource, an SP may want information surrounding how the user was originally authenticated by the IdP, in addition to the assertion itself. The SP may use this information for an access control decision or to provide an audit trail for regulatory or security-policy compliance.
The SAML 2.0 specification provides an XML schema whereby partners can create authentication-context declarations. Partners may choose to reference a URI to implement a set of classes provided by the specification to help categorize and simplify context interpretation (see the OASIS document: saml-authn-context-2.0-os.pdf). However, it is up to partners to decide if additional authentication context is required and if these classes supply an adequate description. For SAML 1.x, the authentication context (called AuthenticationMethod), if used, must be specified as a URI (see oasis-sstc-saml-core-1.1.pdf).
An administrator can configure PingFederate, acting as an IdP, to include a specific authentication context in assertions for Browser SSO or WS-Trust.
Alternatively, several PingFederate integration kits provide methods that can be used by the developer to insert authentication context from external IdP applications into the assertion. Conversely, the SP developer can call methods for extracting authentication context from an assertion. Ultimately, it is up to the SP developer and application to create access control or other processing based on the context.