SAML 1.1
IBM Security Access Manager supports SAML 1.1.
If you and your partner choose to use SAML 1.1 in your federation, you need to understand the SAML 1.1 support that is provided in IBM Security Access Manager.
Assertions
The assertions created by IBM Security Access Manager contain authentication statements, which assert that the principal (that is, the entity requesting access) was authenticated. Assertions can also carry attributes about the user that the identity provider wants to make available to the service provider.
Assertions are usually passed from the identity provider to the service provider.
- The specification (SAML 1.1) that you select when you establish a federation.
- The definitions used in the IBM Security Access Manager identity mapping method that you configure.
The IBM Security Access Manager identity mapping method can either be a custom mapping module or a JavaScript mapping rule.
Protocol
In IBM Security Access Manager, SAML 1.1 uses a simple request-response protocol to make authentication requests.
Binding
SAML 1.1 uses both plain HTTP (using browser redirects) or SOAP for the transportation of messages. The profile used in the federation further specifies how the communication of the messages takes place.
Profiles
- Browser artifact
- Browser artifact uses SOAP-based communications (also called the SOAP backchannel) to exchange an artifact during the establishment and use of a trusted session between an identity provider, a service provider, and a client (browser).
- Browser POST
- Browser POST uses a self-posting form during the establishment and use of the trusted session between an identity provider, a service provider, and a client (browser).
IBM Security Access Manager supports browser artifact by default when you select SAML 1.1 as the profile for your federation. However, you can use browser POST in your federation on a per-partner basis. For example, if you are a service provider, you can specify that your identity provider partner uses Browser POST when you configure that partner. If you are an identity provider, you can enable the IBM® PROTOCOL extension when configuring a SAML 1.1 federation.
The URL that is used to initiate single sign-on differs depending on whether the identity provider is using this extension. For more information about URLs, see SAML 1.1 initial URL.