SAML 1.1

IBM Security Access Manager supports SAML 1.1.

If you and your partner choose to use SAML 1.1 in your federation, you need to understand the SAML 1.1 support that is provided in IBM Security Access Manager.

Assertions

The assertions created by IBM Security Access Manager contain authentication statements, which assert that the principal (that is, the entity requesting access) was authenticated. Assertions can also carry attributes about the user that the identity provider wants to make available to the service provider.

Assertions are usually passed from the identity provider to the service provider.

The following variables control the content of the assertions created by IBM Security Access Manager:

The specification (SAML 1.1) that you select when you establish a federation.
The definitions used in the IBM Security Access Manager identity mapping method that you configure.

Identity mapping specifies how identities are mapped between federation partners.

The IBM Security Access Manager identity mapping method can either be a custom mapping module or a JavaScript mapping rule.

Protocol

In IBM Security Access Manager, SAML 1.1 uses a simple request-response protocol to make authentication requests.

Binding

SAML 1.1 uses both plain HTTP (using browser redirects) or SOAP for the transportation of messages. The profile used in the federation further specifies how the communication of the messages takes place.

Profiles

SAML 1.1 specifies two options for profiles:

Browser artifact: Browser artifact uses SOAP-based communications (also called the SOAP backchannel) to exchange an artifact during the establishment and use of a trusted session between an identity provider, a service provider, and a client (browser).
Browser POST: Browser POST uses a self-posting form during the establishment and use of the trusted session between an identity provider, a service provider, and a client (browser).

IBM Security Access Manager supports browser artifact by default when you select SAML 1.1 as the profile for your federation. However, you can use browser POST in your federation on a per-partner basis. For example, if you are a service provider, you can specify that your identity provider partner uses Browser POST when you configure that partner. If you are an identity provider, you can enable the IBM® PROTOCOL extension when configuring a SAML 1.1 federation.

The URL that is used to initiate single sign-on differs depending on whether the identity provider is using this extension. For more information about URLs, see SAML 1.1 initial URL.