# SAML 2.0
# About SAML 2.0
Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorisation data between security domains. This is normally between an identity provider like id.signicat and a service provider (the customer). SAML is a product of the OASIS Security Services Technical Committee (opens new window).
SAML assumes that the end-user has enrolled with at least one identity provider. This identity provider is expected to provide local authentication services to the end-user. However, SAML does not specify the implementation of these local services; indeed, SAML does not care how local authentication services are implemented.
SAML has been a de facto standard protocol for identity management and is now supported by most of the biggest actors in the computer industry. For detailed information about SAML 2.0, relevant technical terms and access to several white papers, visit this page (opens new window) on the OASIS website.
Signicat supports the SAML 2.0 standard fully, via a gateway commonly referred to as the 'SAML gateway' or 'SAML2 gateway'. If you are using an identity federation service such as Microsoft ADFS or Oracle Identity Federation, then you are most likely interested in Signicat's SAML2 gateway.
# Authentication using SAML 2.0
Signicat's SAML2 gateway provides authentication of Internet users over the SAML2 protocol, between service providers (SP) and Signicat as the identity provider (IdP). The SAML2 gateway is integrated with Signicat's ID portal, which means that Signicat can provide authentication over the SAML2 protocol for all ID methods we are supporting today and also new ID methods that we plan to support in the future.
The service provider must establish a SAML2 federation service on their side. Examples of such federation services are:
- ADFS from Microsoft
- OIF from Oracle
- SimpleSAML (opens new window), a PHP-based solution developed through a project led by UNINETT in Norway.
Setting up a SAML2 authentication service between an SP and an IdP requires no programming and no third-party client kits, only configuration. The IdP and other communication parameters between SP and IdP should be configured in this SAML2 federation service.
# Using the SAML 2.0 protocol
Establishing a SAML2 configuration requires an agreement with Signicat. After the agreement is signed, we will create a SAML2 configuration for your application(s).
After the SAML2 configuration is established you will need to define the SAML2 configuration in the federation system. During the integration, the service provider and Signicat exchanges SAML2 metadata. In the metadata both sides expresses trust for each other. The metadata also describes the type and format of the SAML-request and SAML-response. Metadata for the SP side is available from the federation system. These metadata should be sent as an attachment to firstname.lastname@example.org.
When Signicat receives these metadata, they will be deployed in the SAML2 configuration. After deployment we will send a url containing Signicat's metadata in return.
# Set up a SAML connection
This section contains the additional steps that you have to follow if you want to use SAML 2.0.
# Creating a level of assurance contract
A level of assurance (LoA) contract is a set of mappings between the levels of assurance as defined in the ID method's documentation (or protocol specifications) and some relative values (levels 1, 2, 2+, 3 and 4).
For example, for SAML,
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport is mapped to level 2. For eHerkenning,
urn:etoegang:core:assurance-class:loa2plus is mapped to level 2+.
- Log in to the Dashboard (opens new window).
- Select Identity broker and then Level of assurance contracts (on the left-hand menu).
- In the Name field, enter a name for your set of mappings.
- Under Level of assurance mapping, enter the name of the level of assurance as defined for the ID method or protocol you're configuring. Then, select the level of assurance you want to map it to. For each level you want to map, create a new mapping by clicking the plus sign. You can see an example of a mapping for eHerkenning below these instructions.
- Select Save.