SAML Architecture

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

Domain Model

SAML is specified by the following domain model:

SAML Domain Model.png

A system entity (client) wants to access a system resource. The system entity presents user credentials to the Credential Collector, which will authenticate with the associated Authentication Authority, producing the authentication assertion, then with the Attribute Authority producing an attribute assertion and the Policy Decision Point, producing the authorization decision assertion, before the system entity can be granted access. The Policy Enforcement Point will process the application request based on the access rights granted. All assertion requests are represented in SAML.

Credential Collector

A system object that collects user credentials to authenticate with the associated Authentication Authority, Attribute Authority, and Policy Decision Point.

Authentication Authority

A system entity that produces authentication assertions.

Session Authority

A system entity (for example, Identity Provider) that plays the role of maintaining the state related to the session. Also see single logout profile.

Attribute Authority

A system entity that produces attribute assertions. Usually, the attribute authority is implemented by a directory server.

Attribute Repository

A repository where attribute assertions are stored.

Policy Repository

A repository where policies are stored. Also known as "Policy".

Policy Decision Point

A system entity that makes authorization decisions for itself or for other system entities that request authorization.

Policy Enforcement Point

A system entity that enforces the security policy of granting or revoking the access of resources to the service requester.

Policy Administration Point

A system entity where policies (for example, access control rules about a resource) are defined and maintained.