SAML security information is expressed in the form of an assertion about a subject. An assertion is a package of verified security information that supplies one or more statements concerning a subject’s authentication status, access authorization decisions, or identity attributes. Assertions are issued by the SAML authority, and received by partner sites defined by the authority as trusted. SAML authorities use different sources to configure the assertion information, including external data stores or assertions that have already been received and verified. The following figure illustrates how SAML interacts with the other components in Access Manager.
Although Federation (as described in Chapter 3, Federation) integrates aspects of the SAML specifications, its usage of SAML is independent of the SAML component as described in this chapter.
SAML allows Access Manager to work in the following ways:
Users can authenticate using Access Manager and access trusted partner sites without having to reauthenticate.
This single sign-on process is independent of the proprietary Access Manager process discussed in the Sun Java System Access Manager 7 2005Q4 Administration Guide.
Access Manager acts as a policy decision point, allowing external applications to access user authorization information for the purpose of granting or denying access to their resources. For example, employees of an organization can be allowed to order office supplies from suppliers if they are authorized to do so.
Access Manager acts as both an attribute authority (allowing trusted partner sites to query a subject’s attributes) and an authentication authority (allowing trusted partner sites to query a subject’s authentication information).
Two parties in different security domains can validate each other for the purpose of performing business transactions.
The SAML API can be used to build Authentication, Authorization Decision, and Attribute Assertions.
The SAML service permits an XML-based digital signature signing and verifying functionality to be plugged into it.