Security Assertion Markup Language, or SAML, is an XML-based specification that defines how an identity provider (a SAML authority) and a service provider can exchange authentication and authorization data. It is developed and maintained by the Organization for the Advancement of Structured Information Standards (OASIS).
SAML is a network protocol. It stipulates that an identity provider must generate a SAML assertion containing information about an authenticated user, that is then transported over HTTP to a SAML service provider. A single SAML assertion can be used as an authentication token by many service providers across different security domains, enabling enterprises to implement cross-domain Single Sign-On (SSO).
SAML-based SSO benefits both application users and enterprises. It enables users to access multiple applications without having to log in each time. For enterprises, using an identity provider as a SAML authority gives them the ability to manage users, roles, and permissions from a central authentication and authorization repository.
Progress Application Server for OpenEdge (PAS for OpenEdge) supports the latest version of SAML--SAML 2.0. A PAS for OpenEdge web application can be configured to act as a SAML service provider, thus enabling an OpenEdge domain to participate in a cross-domain SAML SSO implementation.
Note that PAS for OpenEdge does not act as a direct-login service provider. Instead, it is the responsibility of a PAS for OpenEdge client application to accept requests from an end user and communicate with an identity provider to obtain SAML assertions for authenticated users.
Once the PAS for OpenEdge client application receives a SAML assertion from an identity provider, it needs to send the assertion to a PAS for OpenEdge web application, that then validates the assertion. If the validation is successful, PAS for OpenEdge automatically creates an ABL Client-Principal object, that is used to authenticate the user across all parts of the ABL application, including its databases, thus implementing SSO all the way through.
