SAML profiles

SAML profiles combine protocols, assertions, and bindings to create a federation and enable federated single sign-on.

The following profiles are supported:
Web browser single sign-on

This profile provides options regarding the initiation of the message flow and the transport of the messages:

Flow initiation
The message flow can be initiated from the identity provider or the service provider.
Bindings
The following bindings can be used in the Web browser SSO profile:
  • HTTP redirect
  • HTTP POST
  • HTTP artifact

The choice of binding depends on the type of messages being sent. For example, an authentication request message can be sent from a service provider to an identity provider using HTTP redirect, HTTP POST, or HTTP artifact. The response message can be sent from an identity provider to a service provider by using either HTTP POST or HTTP artifact. A pair of partners in a federation does not need to use the same binding.

Single Logout
The Single Logout profile is used to terminate all the login sessions currently active for a specified user within the federation. A user who achieves single sign-on to a federation establishes sessions with more than one participant in the federation.

The sessions are managed by a session authority, which in many cases is an identity provider. When the user wants to end sessions with all session participants, the session authority can use the single logout profile to globally terminate all active sessions.

This profile provides options regarding the initiation of the message flow and the transport of the messages:

Flow initiation
The message flow can be initiated from the identity provider or the service provider.
Bindings
The following bindings can be used in the Single Logout profile:
  • HTTP redirect
  • HTTP POST
  • HTTP artifact
  • SOAP
Name Identifier Management
The Name Identifier Management profile manages user identities that are exchanged between identity providers and service providers.

This profile can be used by identity providers or service providers to inform their partners when there is a change in user aliases.

This profile can also be used by identity providers or service providers to terminate user linkages at the partners.

To manage the aliases, the Federation module uses a function that is called the alias service. The alias service stores and retrieves aliases that are related to a federated identity. User aliases are stored and retrieved from high-volume database.

This profile provides options regarding the initiation of the message flow and the transport of the messages:

Flow initiation
The message flow can be initiated from the identity provider or the service provider.
Bindings
The following bindings can be used in the Web browser SSO profile:
  • HTTP redirect
  • HTTP POST
  • HTTP artifact
  • SOAP
Parent topic: SAML Federations Overview