Overview #

SAML V2.0 introduces a number of new features including:


SAML V2.0 defines how an opaque pseudo-random identifier with no discernible correspondence with meaningful identifiers (for example, emails or account names) can be used between providers to represent principals. Pseudonyms are a key privacy-enabling technology because they inhibit collusion between multiple providers (as would be possible with a global identifier such as an email address)

Identifier management#

SAML V2.0 defines how two providers can establish and subsequently manage the pseudonym(s) for the principals for whom they are operating.


The metadata specification defines how to express configuration and trust-related data to make deployment of SAML systems easier. In doing this, it identifies the actors involved in the various profiles, such as SSO Identity Provider and Service Provider, and Attribute Authority and Requester. The data that must be agreed on between system entities includes supported roles, identifiers, supported profiles, URLs, certificates and keys.


SAML V2.0 permits attribute statements, name identifiers, or entire assertions to be encrypted. This feature ensures that end to-end confidentiality of these elements may be supported as needed.

Attribute Profiles#

Attribute profiles simplify the configuration and deployment of systems that exchange attribute data. The attribute profiles include:

Basic attribute profile#

Basic attribute profile supports string attribute names and attribute values drawn from XML schema primitive type definitions.

X.500/LDAP attribute profile#

X.500/LDAP attribute profile supports canonical X.500/LDAP attribute names and values.

UUID Attribute Profile#

UUID Attribute Profile supports the use of UUIDs as attribute names.

XACML Attribute Profile#

XACML Attribute Profile supports formats suitable for processing by XACML.

Session management#

Session management provides the Single Logout Profile in SAML V2.0 provides a protocol by which all sessions provided by a particular session authority can be near-simultaneously terminated.

As an example, if a principal, after authenticating at an Identity Provider (IDP), achieved Single Sign-On to multiple Service Providers, they could be automatically Logging Out of all of those Service Providers at the request of the Identity Provider (IDP).


SAML V2.0 introduces new support for the mobile world – addressing both the challenges introduced by device and bandwidth constraints and the opportunities made possible by emerging smart or active devices.

Privacy Mechanisms #

SAML V2.0 includes mechanisms that allow providers to communicate privacy policy and settings. For instance, SAML makes it possible to obtain and express a principal's consent to some operation being performed.

SAML V2.0 Identity Provider (IDP) Discovery Mechanism#

In deployments having more than one identity provider, service providers need a Discovery Mechanism which Identity Provider (IDP)(s) a principal uses.

SAML v2 IDP Discovery Service relies on a cookie written in a DNS Domain that is common to all Identity Provider (IDP) and Service Providers in a Circle of Trust. This predetermined DNS Domain is known as the common domain, and the cookie containing the list of Identity Provider (IDP) to chose from is known as the common domain cookie.

When a user requests access from a Service Provider and an entity identifier for an Identity Provider (IDP) is not received in the request, the service provider redirects the request to the common domain's SAML v2 IDP Discovery Service Reader URL to retrieve the identity provider's entity identifier. If more than one Identity Provider (IDP) entity identifier is returned, the last entity identifier in the list is the one to which the request is redirected

More Information#

There might be more information for this subject on one of the following: