SAML

1. SAML allows organizations to easily share identity data.
SAML stands for "Security Assertion Markup Language." It is an XML-based standard for communicating identity information between organizations across Internet domains. The ability to pass secure identity data within an enterprise is a capability is called "federated identity".
SAML is standardized under the OASIS Security Services Technical Committee (SSTC). The SAML 2.0 specification set is comprised of rules for the structure of identity assertions, protocols for moving assertions from place to place, bindings of protocols to typical message transport mechanisms, and profiles that tie all the above into interoperable patterns for common use cases (e.g. browser single sign-on, Web Services Security, etc.).

2. SAML asserts trust.
A SAML assertion is an XML document that contains identifying information about a particular subject; i.e., a person, company, application, or system. Organizations who trust each other use SAML assertions to exchange identity data.
There are three key parties in a SAML connection: the user, the identity provider (IdP), who maintains a directory of users and some mechanism for authenticating users, and the service provider (SP), who owns and maintains the target application, data or service.
3. SAML improves security.
Entering usernames and passwords on the Internet has become a significant security challenge. SAML and federated identity can eliminate many phishing opportunities. It also, reduces sharing and impersonation of usernames and passwords, eliminates usage barriers and risky proprietary SSO implementations that are vulnerable to attacks.

4. SAML increases usability.
• No additional passwords are necessary to remember or maintain.
• Users simply click a link and they are in. (These are the same actions they take for internal applications, too.)
• The user goes directly to the application in the same way as if the application was on their local network.

5. SAML facilitates reusability of technology.
• Once one connection is set up, you can set up additional ones using the same SAML software because SAML is a commonly-used standard.
• IdPs can federate identities with SaaS and BPO (Business Process Outsourcing) providers.
• SPs can federate identities with multiple customers: this eliminates the security risks, development burdens and maintenance overhead of proprietary systems.

6. SAML decreases administrative costs.
Fewer helpdesk calls are generated by users on SAML-deigned systems, as well as less duplicated effort by users, developers and IT staff.


7. Not all SAML versions are compatible.
There are three versions of SAML: SAML 1.0, SAML 1.1, and SAML 2.0. Versions are not all compatible with each other, and when choosing an identity provider, you need to make sure which version they support. SAML 1.0 was released in 2002, SAML 1.1 in 2003, and SAML 2.0 in 2005. The first two versions are compatible with each other, but the third is not compatible with the previous two.

The SAML 2.0 specification set is comprised of rules for the structure of identity assertions, protocols for moving assertions from place to place, bindings of protocols to typical message transport mechanisms, and profiles that tie all the above into interoperable patterns for common use cases: browser single sign-on, Web Services Security, etc.

Ping Identity's PingFederate 5.0 includes a new feature called Auto-Connect, a function based on capabilities already available in SAML 2.0. The dynamic federation techniques that make Auto-Connect possible can readily be standardized without requiring changes to the core SAML 2.0 specification.

8. PingFederate supports all versions of SAML.
PingFederate is Ping Identity's flagship product. Ping Identity's dedication to delivering secure Internet single sign-on software and services for over 150 customers has earned us recognition as the market leader. PingFederate®, the world's first rapidly deployable identity federation software, provides users safe access to Internet applications without the need to re-login.

PingFederate provides flexible, integrated support for all versions of the SAML protocol (1.0 – 2.0.) In addition, PingFederate supports the WS-Federation browser-based, "passive" protocol using SAML assertions as SSO-enabling security tokens. (For further information, see the PingFederate Getting Started guide.)

SAML 1.x Profiles
• SAML 1.0 and 1.1 profiles provide for SSO, initiated by an IdP, using either the
• POST or artifact bindings. In addition, the specifications provide for a non-normative SP-initiated scenario (called "destination-first"), which allows Web developers to create applications that enable a user to initiate SSO from the SP site.

SAML 2.0 Profiles
• PingFederate supports these major profiles defined under the SAML 2.0 standard: Single Sign-on, Single Logout, Attribute Query and XASP, IdP Discovery.

9. PingFederate can save as much as 90% of typical SAML deployment costs.
We've interviewed competitors' users who have also federated with PingFederate: we have consistently found that PingFederate projects take far less time and cost far less. In fact, several customers have reported 90% savings in both project duration and cost.

10. PingFederate eliminates upgrades of existing systems just to implement SAML.
Many competitors' customers have told us the upgrades are difficult if not impossible in production environments. Unlike Ping Federate, other identity management systems require upgrades to their implementation to get SAML's benefits.