SAML, XACML, and SPML from CISSP and CCSP Mindset


Identity and Access Management is mainly concerned with managing access to assets and managing identities. Following topic is very important for CISSP and CCSP Exam

Security Assertion Markup Language (SAML), combines authentication and authorization information

  • The advantages of SAML:
    •  It helps to reduce the number of login efforts by a user in different platforms by reusing the same set of credentials
    •  It reduces the administration overheads by reducing the cost of maintenance of maintaining various credential sets that may be required otherwise
    • One identity provider may provide SAML assertions to many service providers. Similarly, one SP may rely on and trust assertions from many independent IdPs
  • Roles in SAML
    • The principal or user (I want to book tickets)
    • Identity Provider (Gmail where my id created)
    • Service Provider (Website offer me tickets services)
  • Exam Areas must know
    • Who Initiate SAML Request = Identity Provider
    • Who Consume SAML Token = Service Provider
  • How Does SAML Work
    • User begins with login into their single sign-on system as usual. The identity provider (usually the IT department of the employer’s business) has a federated solution that records this login, which comes into action and authorizes the user.
    • When a user wants to access a specific SaaS application, the federated software then communicates with other software at the SaaS service provider to let them know the login is authentic. It will be sent as a unique, token, digitally signed, XML document.

Service Provisioning Markup Language (SPML), which is used to give provisioning information between organizations in the federation

  • SPML is used for federated identity. SPML utilized DSML, which allows presenting LDAP information in an XML format, that is useful for federated systems.
  • SPML is used to initiate XML-based provisioning/de-provisioning processes from the identity provider to its target service providers. SPML allow users to bypass out-of-band account creation requirements using provisioning/synchronization mechanisms from LDAP, database
  • SPML has three entities
    • Requesting Authority (RA) : Issuer SPML Request
    • Provisioning Service Provider:Listen and process SPML Request
    • Provisioning Service Target: Request endpoint supporting core operations

Extensible Access Control Markup Language (XACML),

  •  Presents a standard for assessing authorization requests
  •  It is used to express security policies and access rights to assets provided through web services and other enterprise applications.
  • It deals with Authorization
  • XACML is a standard language for access control that allows for communication between the access control system and implementation, even if they are from a different vendor
  • policy with which ABAC Operate is formulated in structure language called XACML

For Exam Point: A federated identity is an SSO-based identity that is movable or Portable among different organizations within a federation. Federated identity management systems use HTML-based and XML-based languages to distribute authentication and authorization information with each other. Many web solutions have implemented federated identity management systems to streamline the client experience when making obtaining from partner organizations in a federation.

  1. SAML = Authentication and Authorization
  2. SPML = Provisioning
  3. XACML = Authorization only