Child pages
  • What's New in SAML 2?

The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

What's New in SAML V2.0?

  • Pseudonyms - SAML V2.0 defines how an opaque pseudo-random identifier with no discernible correspondence with meaningful identifiers (for example, emails or account names) can be used between providers to represent principals. Pseudonyms are a key privacy-enabling technology because they inhibit collusion between multiple providers (as would be possible with a global identifier such as an email address).
  • Identifier management - SAML V2.0 defines how two providers can establish and subsequently manage the pseudonym(s) for the principals for whom they are operating.
  • Metadata - SAML's metadata specification defines how to express configuration and trust related data to make deployment of SAML systems easier. In doing this, it identifies the actors involved in the various profiles, such as SSO Identity Provider and Service Provider, and Attribute Authority and Requester. The data that must be agreed on between system entities includes supported roles, identifiers, supported profiles, URLs, certificates and keys.
  • Encryption - SAML V2.0 permits attribute statements, name identifiers, or entire assertions to be encrypted. This feature ensures that end-to-end confidentiality of these elements may be supported as needed.
  • Attribute profiles - Attribute profiles simplify the configuration and deployment of systems that exchange attribute data. The attribute profiles include:
    • Basic attribute profile: supports string attribute names and attribute values drawn from XML schema primitive type definitions.
    • X.500/LDAP attribute profile: supports canonical X.500/LDAP attribute names and values.
    • UUID Attribute Profile: supports use of UUIDs as attribute names.
    • XACML Attribute Profile: defines formats suitable for processing by XACML.
  • Session management - The single logout protocol in SAML V2.0 provides a protocol by which all sessions provided by a particular session authority can be near-simultaneously terminated. As an example, if a user, after authenticating at an identity provider, achieved single sign-on to multiple service providers, they could be automatically logged out of all of those service providers at the request of the identity provider.
  • Devices - SAML V2.0 introduces new support for the mobile world, addressing both the challenges introduced by device and bandwidth constraints and the opportunities made possible by emerging smart or active devices.
  • Privacy mechanisms - SAML V2.0 includes mechanisms that allow providers to communicate privacy policy and settings. For instance, SAML makes it possible to obtain and express a principal's consent to some operation being performed.
  • Identity provider discovery - In deployments having more than one identity provider, service providers need a means to discover which identity provider(s) a principal uses. The identity provider discovery profile relies on a cookie written in a common domain between identity and service providers.

Taken from: SAML V2.0 Executive Overview(12 April 2005, published by OASIS)

  • No labels