Tuesday, September 17, 2013

Markup languages and protocols

I've previously discussed different technologies that help facilitate access management such as directories, web access management software, and single sign-on systems. These devices are great and can make an administrator's life much easier, but how do they communicate with other systems? All of these systems are dealing with data such as user names, passwords, and permissions and need the ability to share that information with other systems.

As is true whenever communication occurs between systems, there are protocols and markup languages that control how this information is transported and viewed. The most well known example is of the HTTP protocol and the HTML language (yes, I know it sounds redundant) that is used for web traffic. Another well known markup language forms the basis of two security specific languages that we will discuss shortly. This language is XML.

Service Provisioning Markup Language (SPML) and Security Assertion Markup Language (SAML) are two commonly used languages for transfer user security information. SPML is primarily used to manage account creating, modification, and deletion. This process is as simple as an SPML client sending a request, written in SPML of course, to a SPML server which then reviews the request before forwarding it on to the provisioning target. This is the entity that actually carries out the request.

SAML is most often used in single sign-on web systems to streamline the process of users moving from system to system. After a user has signed in to one service, they often need to be moved on to another in order to complete whatever their doing. When the user wants to transition from one system to another, SAML is used to transport information about their session to the next system.

Transmission of SAML data can take place over different protocols, but the most common one is Simple Object Access Protocol (SOAP). SOAP provides a standardized way to transport data such as SAML across systems. When the object receives a SOAP packet, the protocol tells the object what kind of information the packet holds so that it knows what to do with it. Since this communication takes place over the web, the SOAP packet is contained within an HTTP packet. Below is a diagram outlining this.

2 comments: