SAML 2.0

The Federation Module relies on the SAML 2.0 specification to establish a federation and to initialize and manage single sign-on.

Assertions

The assertions contain authentication statements. These authentication statements assert that the principal (that is, the entity that requests access) was authenticated. Assertions can also carry attributes about the user that the identity provider wants to make available to the service provider.

Assertions are typically passed from the identity provider to the service provider.

The content of the assertions that are created is controlled by the SAML 2.0 specification. Select these assertions when you establish a federation. You can also select these assertions by the definitions that are used in the identity mapping method that you configure.

The identity mapping method can either be a custom mapping module or a JavaScript mapping rule. The identity mapping also specifies how identities are mapped between federation partners.

Protocols

SAML 2.0 defines several request-response protocols that correspond to the action that is being communicated in the message. The SAML 2.0 protocols that are supported are:

Authentication request
Single logout
Artifact resolution
Name identifier management

Note: The Enhanced Client or Proxy (ECP) flow is currently not supported by Security Access Manager.