The SAML V2.0 Profiles specification defines profiles for the use of SAML assertions and requestresponse messages in communications protocols and frameworks, as well as profiles for SAML attribute value syntax and naming conventions.
The intent of this specification is to specify a selected set of profiles of various kinds in sufficient detail to ensure that independently implemented products will interoperate.
也就是说SAML Profile是为了独立研制的产品能够具备通用性(如何做到这点呢,是定义了一系列足够的detail)。
4. SSO Profile of SAML
一个profile集合被定义用来支持浏览器和其他客户端设备的SSO
1. web browser-based profile被定义用来支持web SSO;
2. 一个附件web SSO profile被定义来支持增强的client
3. 定义了单点登出和name identifier management protocol
4. 定义了IdP发现的profile(使用cookie)
4.1 web browser SSO profile
Either the HTTP POST, or HTTP Artifact binding can be used to transfer the message to the service provider through the user agent. The message may indicate an error, or will include (at least) an authentication assertion. The HTTP Redirect binding MUST NOT be used, as the response will typically exceed the URL length permitted by most user agents.
SP发起的时候:The service provider is free to use any means it wishes to associate the subsequent interactions with the original request. Each of the bindings provide a RelayState mechanism that the service provider MAY use to associate the profile exchange with the original request. The service provider SHOULD reveal as little of the request as possible in the RelayState value unless the use of the profile does not require such privacy measures.
推荐使用SSL或TLS来保证消息的完整性和机密性。如果需要对请求签发者进行认证,则可以对请求进行签名。如果binding方式使用的是HTTP Artifact,则对请求签发者已经进行了认证。
It is RECOMMENDED that the HTTP exchanges in this step be made over either SSL 3.0 [SSL3]or TLS1.0 [RFC2246]to maintain confidentiality and message integrity. The message MAY be signed, if authentication of the request issuer is required. The HTTP Artifact binding, if used, also provides for an alternate means of authenticating the request issuer when the artifact is dereferenced.