What is SAML? Security Assertion Markup Language (SAML) : Security Assertion Markup Language. Is a security framework or specification used for authentication and authorization. In the form of XML, the content includes three aspects:
1. Certification statement. Indicates whether the user is authenticated, usually for single sign-on. 2. Attribute declaration. 3. Authorization Statement. Indicates the permission of a resource.
For example, if an enterprise application wants to access a service, in order to ensure identity security, it can use SAML specification to transmit data in the form of XML and the content complies with SAML recommended standards. It doesn’t matter what kind of system the application and service are, as long as you understand the SAML specification.
So, is SAML safe because the content is XML? The answer is that SAML has some security, and while it is XML, it is not easily modified:
First, although SAML is formally XML, some of its values are encrypted;
Secondly, SAML is based on XML signature specification, that is, it uses XML syntax rules to fully and accurately describe the generation and verification process of digital signature, including key pair generation, document signature, document transmission and verification signature (XML signature is another topic, which needs to be studied separately). , with tamper-proof, non – repudiation and other characteristics.
SAML, as I understand it, is an application-level specification for authentication and authorization between different systems. HTTPS, on the other hand, is simply a secure network transport protocol, not SAML. From a security standpoint, HTTPS is much better.
SAML is obviously related to authentication mechanisms between different systems such as single sign-on (SSO) and third-party logins such as oAuth2.
As mentioned earlier, SAML can contain authorization information. OAuth2 with authorization information, this is easier to understand, it was the main purpose is to do this, for example, I want to open an application, the result prompts can use wechat login, and then let me agree to access wechat user name, album, which contains authorization information.
However, for single sign-on, do I need this authorization information?
Originally, as I have always taken it for granted, the single sign-on system only authentication is good, as for permission processing, it is completely handled by the application system. After thinking about it, single sign-on also provides authorization information is also a good thing, because only in the single sign-on system to maintain a copy of authorization data on the line, the application system does not have to, one save, two perhaps authorization data is easy to transfer between systems, processing?
So much for the moment.
References:
Baidu Encyclopedia: SAML
The principle of XML digital signature and its application in electronic commerce