SAML 1.1 - SAML 1.1 Profiles

SAML 1.1 Profiles

In general, profiles describe the use cases and message exchanges required to ultimately transfer assertions from an identity provider to a service provider. SAML 1.1 specifies two Web Browser SSO Profiles:

1. Browser/POST Profile
2. Browser/Artifact Profile

The Browser/POST Profile relies on a "push" operation that passes an SSO assertion by value through the browser using HTTP POST. We say that the identity provider "pushes" the assertion to the service provider.

The Browser/Artifact Profile employs a "pull" mechanism. The profile essentially passes an SSO assertion from the identity provider to the service provider by reference (through the browser using HTTP Redirect), which is subsequently dereferenced via a back-channel exchange (i.e., the service provider "pulls" the assertion from the identity provider using SAML over SOAP over HTTP).

These profiles support cross-domain single sign-on (SSO). The specification does not define any additional profiles. In particular, SAML 1.1 does not support a profile to secure a web service message nor does it support a single logout profile.

Both SAML 1.1 profiles begin at the inter-site transfer service, which is managed by the identity provider. How the principal arrives at the transfer service in the first place is not dictated by the specification. See sections 4.1 and 4.2 of #SAMLOverview for possible scenarios. In practice, a client accessing a secured resource at a service provider will be redirected to the inter-site transfer service at the identity provider, but the precise sequence of steps needed to accomplish this is not outlined by SAML 1.1. (See section 4.3 of #SAMLOverview for some rough ideas along these lines.) This scenario is thoroughly addressed in SAML 2.0.

After visiting the inter-site transfer service, the principal is transferred to the assertion consumer service at the service provider. Exactly how the principal is transferred from the inter-site transfer service to the assertion consumer service depends on the profile used. In the case of the Browser/Artifact Profile, a redirect is used; in the case of the Browser/POST Profile, the client issues a POST request (with or without user intervention).

To expedite processing by the assertion consumer service, two separate URLs are specified:

1. Assertion Consumer URL (Browser/POST Profile)
2. Artifact Receiver URL (Browser/Artifact Profile)

These and other endpoint locations may be recorded in metadata files.

Note that a conforming SAML 1.1 identity provider must provide an inter-site transfer service. Similarly, a SAML 1.1 service provider must provide an assertion consumer service.