Security Assertion Markup Language (SAML) holds the dominant position in terms of industry acceptance for federated identity deployments. SAML is deployed in tens of thousands of cloud single sign-on (SSO) connections. Thousands of large enterprises, government agencies and service providers have selected it as their standard protocol for communicating identities across the internet.
SAML is XML-based which makes it a very flexible standard. Two federation partners can choose to share whatever identity attributes they want in a SAML assertion (message) payload as long as those attributes can be represented in XML. This flexibility led to pieces of the SAML standard, such as the SAML assertion format, being incorporated into other standards such as WS-Federation.
An introduction to identity federation
and the SAML standard.
Interoperability also gives SAML a huge advantage over proprietary SSO mechanisms. For an enterprise, proprietary SSO means each new connection potentially requires a new and different software implementation. With SAML, a single SAML implementation can support SSO connections with many different federation partners. Some large organizations, particularly those who have already gone through the pain of supporting multiple proprietary SSO implementations, now require the use of SAML for internet SSO with Software-as-a-Service (SaaS) applications and other external service providers.
The Kantara Initiative, formerly known as the Liberty Alliance, has established a very successful interoperability testing program where SAML vendors prove out-of-the-box interoperability with other SAML implementations. To date, Liberty has certified over 80 solutions from numerous vendors and organizations worldwide, including PingFederate, which has completed SAML 2.0 interoperability testing with more vendors than any other product in the identity management space. A certified product can be the difference between a two-hour configuration and testing exercise or a multi-month distributed debugging nightmare.
Enterprise SAML identity federation use cases generally revolve around sharing identity between an existing IdM system and web applications. There are two actors in the SAML scenario, the Identity Provider who “asserts” the identity of the user and the Service Provider who consumes the “assertion” and passes the identity information to the application. The interaction between the IdM system and the federation server is called “first mile” integration and the interaction between the federation server and the application is called “last mile” integration.