1-8 Oracle Fusion Middleware Reference for Oracle Security Developer Tools NotAfter=2005-12-14T10:15:00Z saml:Conditions saml:AuthenticationStatement AuthenticationMethod=urn:oasis:names:tc:SAML:1.0:am:password AuthenticationInstant=2005-12-14T10:00:20Z saml:Subject saml:NameIdentifier NameQualifier=RelyingParty.com john.smith saml:NameIdentifier saml:SubjectConfirmation saml:ConfirmationMethod urn:oasis:names:tc:SAML:1.0:cm:artifact-01 saml:ConfirmationMethod saml:SubjectConfirmation saml:Subject saml:AuthenticationStatement saml:Assertion samlp:Response

1.4.2 SAML Requests and Responses

The authority that issues assertions is known as the issuing authority or identity provider . An issuing authority can be a third-party service provider or an individual business that is serving as an issuing authority within a private federation of businesses. SAML-compliant applications and services, which trust the issuing authority or identity provider and make use of its services, are called relying parties or service provider s.

1.4.2.1 SAML Request and Response Cycle

In a typical SAML cycle, the relying party or service provider, which needs to authenticate a specific client request, sends a SAML request to its issuing authority or identity provider. The identity provider responds with a SAML assertion, which supplies the relying party or service provider with the requested security information. For example, when a user signs into a SAML-compliant service of a relying party or identity provider, the service sends a request for authentication assertion to the issuing authority identity provider. The issuing authority returns an authentication assertion reference stating that the user was authenticated by a particular method at a specific time. The service can then pass this assertion reference to other relying partyidentity provider sites to validate the user’s credentials. When the user accesses another SAML-compliant site that requires authentication, that site uses the reference to request the authentication assertion from the issuing authority or identity provider, which states that the user has already been authenticated. At the issuing authority, an assertion layer handles request and response messages using the SAML protocol, which can bind to various communication and transport protocols HTTP, SOAP, and so on. Note that while the client always consumes assertions, the issuing authority or identity provider can act as producer and consumer since it can both create and validate assertions. This cycle is illustrated in Figure 1–1 . Introduction to Oracle Security Developer Tools 1-9 Figure 1–1 SAML Request-Response Cycle This figure shows a SAML request and response cycle, and shows a user, boxes for relying parties, and a box for the issuing authority. The user or client request first goes to the relying party, which sends a SAML request to its issuing authority. The issuing authority responds with a SAML assertion, which supplies the relying party with the requested security information. Two-way arrows denote the client communication with the relying party there can be more than one relying party, and also denote the request-response communication between the relying party and issuing authority. Finally, the box for the issuing authority separates out the assertion layer SAML from the transport layer HTTP, SOAP, and so on to show that the communication between these layers enables the issuing authority to create and validate assertions.

1.4.2.2 SAML Protocol Bindings and Profiles