I am dealing with some tough SAML issues, with Michele's help, and I thought I would put in some review notes on SAML for other people to benefit as well. Reference for this material was the book: Securing Web Services with WS-Security.   Introduction In the past, there was no real need to share identities from one organization or company to another. This has changed quite a bit with SOA, Services and the Internet with increased collaboration across trust domains. The need for federation of security attributes has become critical. Some Definitions Identity - Individual or entity (machine) representing itself for consideration Subject - Entity asserting it's identity Credentials - created when a subject's identity initially established and verified in some trust domain by some 3rd party Portable - Credentials are portable when subject's identity verified in one trust domain and wants to assert and its identity and rights in another trust domain Assertions is a claim when some subject identity wants to do something. They may be challenged and proven. Authentication is an assertion that a subject is who they say they are Authorization is an assertion that the subject identity is allowed to do something Why SAML? XML and/or SOAP has no standardized and interoperable way to communicate two different entities in two different trust domains to communicate their security properties and establish trust. Security Assertion Markup Language  (SAML) is the XML standard Read More...