The Security Assertion Markup Language (SAML) standard is an XML-based protocol for exchanging authentication and authorization data between security domains and realms. When used by the Pega 7 Platform, this is the exchange between an identity provider (IdP) and a service provider (SP). In this case, IdP is the producer of the SAML assertion and SP is the consumer of the assertions.
By considering OASIS standards such as the SAML 2.0 conformance specification, the Pega 7 Platform provides the ability to federate with any third-party application that uses industry-standard identity providers, including Microsoft ADFS, PingOne, and IBM Tivoli Federated Identity Manager. The Pega 7 Platform fully conforms with SAML 2.0 for web single sign-on and single logout profiles.
This article is intended for the Pega 7 Platform integration architect who has a good understanding of SAML 2.0 protocols, standards, and bindings tokens. It addresses information related to SAML 2.0 conformance only.
SAML 2.0 assertions
A SAML 2.0 assertion is a security token that is considered to be the container of the security information. Such assertions contain subjects and conditions, which apply to the assertions and statements. Those statements are used to make or derive access control decisions to authenticate the users.
SAML 2.0 protocols
A SAML 2.0 protocol describes how certain SAML elements (including assertions) are packaged within SAML request and response elements, and gives the processing rules that SAML entities such as IdP and SP must follow when producing or consuming these elements. Generally, a SAML protocol is a simple request-response protocol.
A SAML protocol always refers to what is transmitted, not how it is transmitted. As part of the SAML 2.0 conformance, Authentication Request Protocol, Artifact Resolution Protocol, and Single Logout Protocol are considered to support single sign-on and single logout profiles.
SAML 2.0 bindings
A SAML 2.0 binding determines how SAML requests and responses bind to standard messaging or communications protocols. Specifically, it is a mapping of a SAML protocol message onto standard messaging formats or communications protocols. SAML 2.0 completely separates the binding concept from the underlying profile. See the next section, SAML 2.0 profiles, for more details.
The SAML 2.0 standard defines several bindings. The following bindings are required for SAML 2.0 conformance:
- HTTP redirect (GET) binding
- HTTP POST binding
- HTTP artifact binding
- SOAP binding
SAML 2.0 profiles
A SAML 2.0 profile is a concrete manifestation of a defined use case that uses a particular combination of assertions, protocols, and bindings. It describes in detail how they combine to support the considered use case.
The SAML 2.0 standard defines several profiles, including:
- Web Browser SSO Profile
- Artifact Resolution Profile
- Single Logout Profile
The Web Browser SSO Profile is the most important profile because it is the primary SAML use case for Web SSO and federation.
SAML 2.0 operational modes
The OASIS SAML Conformance document provides SAML 2.0 conformance technical requirements for SPs and IdPs, which is one measure of cross-product compatibility. The document describes features that are mandatory or optional for implementations that claim conformance to SAML 2.0.
In the SAML 2.0 Conformance document, Table 2 provides unique sets of requirements.
Two operational modes are defined in the document:
- SP Full
- SP Lite
The Pega 7 Platform considers single sign-on, single logout profiles, and required bindings to support SAML 2.0 conformance. The following table presents the SAML 2.0 functions matrix for the SP Lite and SP Full operational modes supported by the Pega 7 Platform.
SAML 2.0 Functions Matrix
|Functions||SP Lite||SP Full||Pega 7 Platform|
|Web SSO, <AuthnRequest>, HTTP redirect||Must||Must||X|
|Web SSO, <Response>, HTTP POST||Must||Must||X|
|Web SSO, <Response>, HTTP artifact||Must||Must||X|
|Artifact Resolution, SOAP||Must||Must||X|
|Single Logout (IdP-initiated) - HTTP redirect||Must||Must||X|
|Single Logout (IdP-initiated) - SOAP||Optional||Must||X|
|Single Logout (SP-initiated) - HTTP redirect||Must||Must||X|
|Single Logout (SP-initiated) - SOAP||Optional||Must||X|
For more information about SAML 2.0, see the OASIS SAML Conformance document.