SAML (Security Assertion Markup Language) - Can this be implemented via network infrastructure

Question

I've possible got to implement SAML for a couple of sites we have and I was wondering if this kind of requirement can be implemented in infrastructure technologies like Active Directory or do I have to implement the solution in application code?

Cheers

Ollie

Answer 1

Just to clarify, ADFS leverages the SAML token but is NOT interoperable with the SAML protocol. Since you need to support SAML for your websites, then you'd need to implement the same SAML protocol as your SSO partners will be using - either 2.0, 1.1 or 1.0.

We have a lot of info about SAML in the information library portion of our website: http://www.pingidentity.com/information-library/index.cfm

Of course, we also offer an simple and secure solution for these requiremetns - PingFederate.

Answer 2

I think ADFS supports this so you shouldn't have to write any code. Just do some configuration tweaking.

AD FS implements the standards based WS-Federation protocol and Security Assertion Markup Language (SAML). http://msdn.microsoft.com/en-us/library/bb897402.aspx

However, you might need to tweak some code based on how the domains and usernames are handled. For example, if the app just uses the username as a key and there's another guy in a different domain/directory with the same username then you'll have problems. If they use domain/username, then it would be less of a problem, but you might still have collisions based on how the user authentication and lookups are handled.

There are some commerical products provided by Ping Identity and RSA (EMC) that do some of the SAML work for you, too.

Note that I'm a dev and not a AD/networking guy (so I could be wrong about AD stuff), but I'll be working with this in the near future to integrate some of my intranet sites to our various sibling companies/divisions who are on different networks/directories.