SAML 1.1

Edit online

IBM Verify Identity Access supports SAML 1.1.

If you and your partner choose to use SAML 1.1 in your federation, you need to understand the SAML 1.1 support that is provided in IBM Verify Identity Access.

Assertions

The assertions created by IBM Verify Identity Access contain authentication statements, which assert that the principal (that is, the entity requesting access) was authenticated. Assertions can also carry attributes about the user that the identity provider wants to make available to the service provider.

Assertions are usually passed from the identity provider to the service provider.

The following variables control the content of the assertions created by IBM Verify Identity Access:
  • The specification (SAML 1.1) that you select when you establish a federation.
  • The definitions used in the IBM Verify Identity Access identity mapping method that you configure.
Identity mapping specifies how identities are mapped between federation partners.

The IBM Verify Identity Access identity mapping method can either be a custom mapping module or a JavaScript mapping rule.

Protocol

In IBM Verify Identity Access, SAML 1.1 uses a simple request-response protocol to make authentication requests.

Binding

SAML 1.1 uses both plain HTTP (using browser redirects) or SOAP for the transportation of messages. The profile used in the federation further specifies how the communication of the messages takes place.

Profiles

SAML 1.1 specifies two options for profiles:
Browser artifact
Browser artifact uses SOAP-based communications (also called the SOAP backchannel) to exchange an artifact during the establishment and use of a trusted session between an identity provider, a service provider, and a client (browser).
Browser POST
Browser POST uses a self-posting form during the establishment and use of the trusted session between an identity provider, a service provider, and a client (browser).

IBM Verify Identity Access supports browser artifact by default when you select SAML 1.1 as the profile for your federation. However, you can use browser POST in your federation on a per-partner basis. For example, if you are a service provider, you can specify that your identity provider partner uses Browser POST when you configure that partner. If you are an identity provider, you can enable the IBM® PROTOCOL extension when configuring a SAML 1.1 federation.

The URL that is used to initiate single sign-on differs depending on whether the identity provider is using this extension. For more information about URLs, see SAML 1.1 initial URL.