How does SAML really provide security?

Question

After reading some articles and references, I found that they practically illustrate what is SAML, what components it contains, how it works. Some good links as follows:

• Good documentation about Shibboleth and SAML?
• What's the difference between ADFS, WIF, WS Federation, SAML, and STS?
• http://en.wikipedia.org/wiki/SAML
• http://saml.xml.org/wiki/saml-introduction
• https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf ...

I, however, still feel confused about it: why say it is secure? In my view, in short, SAML is just a "formated" XML representation. It is a language or mechanism for the exchanging the figures on the information high way. I cannot find that it is secure, it just provide a negotiation or standard way for exchanging information only. I don't know whether my understanding is correct or not. Why SAML contains "security" still confuse me.

Answer 1

I think the piece that you are missing after all that reading is how SAML requires the use of the XML DSIG and XML ENC specs to ensure message integrity and confidentiality. While standardized message formats and common name identifiers make sharing identity information much easier between parties, it is these two security components (when implemented properly) that allow SAML to be confidently adopted by Enterprises, Governments and Cloud Service Providers to exchange identity information.

HTH - Ian

Answer 2

To make it secure we can digitaly sign the response with our private key and share the certificate with the Service provider.In this way it can provide the security against fake IdP and "Man in the middle" attack (MITM).

Apart from that it is always recommended to have this transaction to be HTTP over SSL.

And last but not the least you can also use persistent/transient pseudonyms to exchange informaton between IdP and SP.

Answer 3

Yes, SAML is an XML based language for information exchange as the name Security Assertion Markup Language means. Why SAML is called a security markup language is because this language is specifically defined to exchange security and identity related information such as authorization information, authentication information etc. Due to this capability of the language there are many security protocols and profiles defined around SAML such as SSO profile, Web Service Profile etc.