SAML

Security Assertion Markup Language (SAML) is an XML-based framework for describing and exchanging security information between multiple service partners. This security information is expressed in the form of SAML assertions that can be trusted by applications that work across security domain boundaries. The OASIS SAML standard defines the SAML syntax and the rules for defining and by using SAML assertions.

Stabilized feature: Support for SAML using the CICS® Security Token Service is stabilized. See also Stabilization notices and discontinued functions.

6.3 Support for SAML using the CICS Security Token Service is removed as of CICS TS 6.3.

6.2 If this function is used, the CICS_STABILIZED_FUNCTIONS health check issues message DFHH0955.

To see which CICS access methods support SAML, see Which authentication method can I use with which access method?.

Why use SAML?

SAML is a commonly used single sign-on (SSO) standard. The SAML framework is used to provide a common source of user role or authority-based security information that can be securely communicated between Service Providers. This concept is also known as Federated Identity. SAML uses Public Key Infrastructure cryptography to protect these asserted identities. SAML is a framework that combines both distributed authentication and authorization.

How SAML works

An assertion is a collection of one or more statements about a principal that are made by a SAML authority. These assertion statements can be of three types:

Authentication: A statement that a specified subject is authenticated, with details of the means of authentication and the time it took place.
Attribute: A statement that a specified subject has the specified attributes.
Authorization decision: A statement that a request to allow the specified subject to access a specified resource is granted or denied.

A user or principal authenticates with an Identity Provider or Security Token Service, which provides a signed SAML token that contains assertions to define the principal’s role and authority to a Service Provider.

Support in CICS for SAML

CICS supports the SAML Core1.1 and SAML Core2.0 standards. It does not support the protocols that are described in those standards. CICS supports SAML in a number of ways:

As a web service provider, by configuring the WS-Security element of the pipeline
Through an API, which uses a channel-based program, provided for user-written solutions.

Diagram illustrating schematically how CICS SAML support works. More detail is given in the following paragraph. — Figure 1. CICS support for SAML

The diagram shows the flow of a SAML assertion in a CICS environment that is configured to perform single sign-on (SSO) through web services. The assertion is augmented at some point in the flow through the addition of new attributes. The provider and requester pipelines are configured to support SAML and to use the transaction channel.

For more information about setting up SAML, see Configuring CICS for SAML.