Overview #

SAML V2.0 introduces a number of new features including:


SAML V2.0 defines how an opaque pseudo-random identifier with no discernible correspondence with meaningful identifiers (for example, emails or account names) can be used between providers to represent principals. Pseudonyms are a key privacy-enabling technology because they inhibit collusion between multiple providers (as would be possible with a global identifier such as an email address)

Identifier management#

SAML V2.0 defines how two providers can establish and subsequently manage the pseudonym(s) for the principals for whom they are operating.


The metadata specification defines how to express configuration and trust-related data to make deployment of SAML systems easier. In doing this, it identifies the actors involved in the various profiles, such as SSO Identity Provider and Service Provider, and Attribute Authority and Requester. The data that must be agreed on between system entities includes supported roles, identifiers, supported profiles, URLs, certificates and keys.


SAML V2.0 permits attribute statements, name identifiers, or entire assertions to be encrypted. This feature ensures that endto-end confidentiality of these elements may be supported as needed.

Attribute Profiles#

Attribute profiles simplify the configuration and deployment of systems that exchange attribute data. The attribute profiles include:

Basic attribute profile#

Basic attribute profile supports string attribute names and attribute values drawn from XML schema primitive type definitions.

X.500/LDAP attribute profile#

X.500/LDAP attribute profile supports canonical X.500/LDAP attribute names and values.

UUID Attribute Profile#

UUID Attribute Profile supports the use of UUIDs as attribute names.

XACML Attribute Profile#

XACML Attribute Profile supports formats suitable for processing by XACML.

Session management#

Session management provides the single logout protocol in SAML V2.0 provides a protocol by which all sessions provided by a particular session authority can be near-simultaneously terminated.

As an example, if a principal, after authenticating at an identity provider, achieved single sign-on to multiple service providers, they could be automatically logged out of all of those service providers at the request of the identity provider.


SAML V2.0 introduces new support for the mobile world – addressing both the challenges introduced by device and bandwidth constraints and the opportunities made possible by emerging smart or active devices.

Privacy Mechanisms #

SAML V2.0 includes mechanisms that allow providers to communicate privacy policy and settings. For instance, SAML makes it possible to obtain and express a principal's consent to some operation being performed.

Identity Provider (IDP) Discovery Mechanism#

In deployments having more than one identity provider, service providers need a Discovery Mechanism which Identity Provider (IDP)(s) a principal uses. The identity provider discovery profile relies on a cookie written in a common domain between identity and service providers.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-2) was last changed on 30-Aug-2015 08:48 by jim