9.5. SAML¶
9.5.1. Introduction¶
SAML (Security Assertion Markup Language) is translated into Security Assertion Markup Language. It is a language in xXML format. It uses XML format interaction to complete the function of SSO.
There are two versions of SAML, 1.1 and 2.0. These two versions are not compatible, but they are roughly the same in terms of logical concepts or object structures, but differ in some details.
9.5.2. Certification process¶
SAML authentication involves three roles, namely service provider (SP), authentication service (IDP), and user (Client). A typical authentication process is as follows:
Client accesses protected resources
The SP generates an authentication request SAML and returns it to the Client
Client submits request to IDP
IDP returns authentication request
Client login IDP
After the authentication is successful, the IDP generates a private key to sign the SAML that identifies the authority, and returns it to the Client
Client submits SAML to SP
The SP reads the SAML, determines that the request is legal, and returns the resource
9.5.3. Security Issues¶
Due to the optionality of authentication in ssl mode, the signature method tag can be deleted to bypass authentication
If expiration is missing in SAML and the assertion ID is not unique, it can be affected by a replay attack