Question 1. What Is Full Form Of Sam?
Security Assertion Markup Language.
Question 2. What Is Saml?
SAML is XML based data format for exchanging authentication and authorization information between two domains.
Question 3. Is It Open Standard?
Yes, It is.
Question 4. Why Saml Is Designed?
It is designed for Authentication and Authorization to business-to-business (B2B) and business-to-consumer (B2C) clients.
Question 5. What Are Three Assertions In Saml?
Question 6. What Is Difference Between Authentication, Attribute And Authorization?
- Authentication validates the user’s identity whether user is valid OR Not.
- Attribute assertion contains specific information about the particular user.
- Authorization identifies whether user have specific permission or not, after the successful authentication.
Question 7. With Which Protocol Saml Works?
- Hypertext Transfer Protocol (HTTP)
- Simple Mail Transfer Protocol (SMTP)
- File Transfer Protocol (FTP)
- Electronic Business XML (ebXML)
Question 8. What Is Latest Version Of Saml?
SAML 2.0 became an OASIS Standard in March 2005.
Question 9. What Is A Difference Between V2.0 And V1.1?
SAML 2.0 and SAML 1.1 are substantial. Although the two standards address the same use case, SAML 2.0 is incompatible with its predecessor.
Question 10. What Are Main Features Of Saml?
Following are main features of SAML:
- Seamless integration.
- Exchange of information among different security domains.
- Back office Transaction.
- Single-Sign-On – user’s ability to authenticate in one security domain and to use the protected resources of another security domain.
- XML-based framework for security-related sharing information over Internet.
Question 11. What Is Similar Between Openid And Saml?
SAML and OpenID are for authentication/Authorization.
Question 12. What Is The Difference Between Openid And Saml?
Following are difference between OpenId and SAML:
- SAML2 supports single sign-out but OpenID does not support single sing out.
- SAML2 has different bindings while the only binding OpenID has is HTTP.
- SAML2 can be Service Provider (SP) OR Identity Provider (IDP) initiated. But OpenID always SP initiated.
- SAML 2 is based on XML while OpenID is not.
Question 13. Where Is Saml Being Standardized?
SAML is being developed under the auspices of OASIS, the Organization for the Advancement of Structured Information Standards. OASIS has long been a home for development of XML languages and protocols. OASIS hosts several other efforts to standardize security-related information, such as XACML. Many members of the SAML Technical Committee also take part in related standards work in other venues, such as UDDI, W3C, IETF, and the committee has liaison relationships with many of these efforts.
Question 14. When Will Saml Be Done?
SAML 1.0 is at the Committee Working Draft stage and the SAML Technical Committee is actively soliciting feedback. The SAML Technical Committee expects to proceed to a “Last Call” for comments with a revised set of Candidate Committee Specifications on 1 February 2002, and to publish a set of Committee Specifications (a Proposed OASIS Standard) on 1 March 2002.The goal is to achieve a positive result from a vote of OASIS members during the following three months and be published as an OASIS Standard. The OASIS process is described here.
Question 15. Who Is Participating In Saml?
The current TC members are listed here. A substantial majority of the voting members of the TC are affiliated with companies that currently sell access management and PKI products and services.
Question 16. What Are The Major Goals Of Saml 1.0?
The major functional goals of SAML 1.0 are as follows:
- Enabling single sign-on for web users.
- Exchanging authentication and authorization information in a variety of kinds of distributed transaction.
The SAML design reflects the following priorities (in no particular order):
- Provide basic capabilities to allow current access management products to interoperate.
- Provide sufficient functionality to maximize the chances of widespread adoption without requiring substantial proprietary extensions in most cases.
- Produce a specification at an early enough date that organizations will not look for alternative solutions.
- Provide basic support for emerging applications, such as SOAP-enabled e-commerce.
- Identify clear mechanisms for extension, both for closed environments and for future versions of SAML.
Question 17. What Are The Major Issues That Were Postponed To Future Versions Of Saml?
Some large features that were explicitly deferred were:
- Proxy login (pass-thru authentication)
- Dynamic session management
- Interoperability with .Net
- Service location and negotiation
Some performance optimizations and small features have also been deferred. Profiles have been defined for two environments so far, web browsing and SOAP, but additional profile contributions are being solicited.
Question 18. What Will Be The Benefit Of Having All The Major Security Vendors Implement Saml?
Interoperability. Standardizing the interfaces between systems allows for faster, cheaper, and more reliable integration. SAML 1.0 gets part of the way towards this goal, and future addition of features will continue the trend. Also, the future addition of bindings and profiles will open up these benefits to more and different kinds of access management.
Question 19. What Is The Connection Between Acts Of Authentication And Saml Authentication Assertions?
Any entity that can authenticate another entity (verify its identity) can potentially act as an authentication authority and issue a SAML authentication assertion. It is up to relying parties, for example a PDP, to decide what authentication authorities it chooses to trust.
The means of ensuring that the entity making a request and the entity referred to by an assertion are one and the same is dependent on the environment and protocols being used. The general mechanism provided is the Subject Confirmation element, which is intended to carry data appropriate to the environment. Possible mechanisms include an artifact encoded in a URL, a Kerberos service ticket, or a public key associated with signature on a document. SAML profiles will specify the details for different situations.
It is expected that others besides the SAML Technical Committee will define other schemes appropriate for other environments. They might or might not publish these as profiles, but doing so ensures greater interoperability.
Question 20. How Does Saml Protect Against “man-in-the-middle” And “replay” Security Attacks In General?
SAML doesn’t really do anything “in general”. Profiles are expected to prevent or minimize MITM attacks as much as possible given the limitations of the environment in question. The Security and Privacy Considerations document discusses what should be considered.
Question 21. How Is Trust Established Between A Client And A Saml Authority?
SAML is a very general framework which will be used in a wide variety of environments. It is up to relying parties to decide what asserting parties they trust for what purposes. For example, Company A might trust Company B to tell it if an individual was a Company B employee, but not to tell if the employee has a Secret Clearance. Trust relationships must be established out of band. (Also, a certain amount of configuration information, for example network addresses, will have to be exchanged out of band.)
Question 22. Will Saml Pdps Need To Be Configured To Understand Only Selected Authentication Decision Queries?
Any PDP will have policies covering a finite number of resources. If it is asked about a resource for which it has no policies, it will produce an indeterminate response. It is up to the PEP to locate a PDP that knows about the resources it protects. SAML does not provide any automated way of doing this.
Question 23. I Don’t Currently Use Soap. Do I Need To Invent My Own Protocol For Requesting And Getting Saml Assertions?
You are allowed to use SAML requests and responses over any protocol you like. Whether you will be able to interoperate with anybody else is another question. The SOAP-over-HTTP protocol is intended to be very simple to implement and should represent less work than implementing SAML requests and interpreting SAML responses.
Internet Security Interview Questions
Internet Security Tutorial
Computer Network Security Interview Questions
SAP Security Tutorial
SAP Security Interview Questions
Mobile Security Interview Questions
Mobile Security Tutorial
Computer Security Interview Questions
Internet Security Interview Questions
Computer Security Tutorial
Java security Interview Questions
Web Security Interview Questions
Computer Network Security Interview Questions
PeopleSoft Security Interview Questions
Application Security Interview Questions