SAML 2.0 password authentication

Question

I'm aware of how SAML is used for single sign on (SSO). That is, redirection to IDP from SP and getting the user's identity from the SAML response/assertion.

My question is - Does SAML 2.0 specification define how to pass username and password as part of a SAML request xml for authentication? Note that I'm not talking about single sign on and just want authentication of username/password.

Thanks,

Answer 1

The SAML standard supports passing a user identifier in the <saml:Subject> field of the <AuthnRequest> (ie the request for authentication).

There is however no built in support for passing a password as part of the AuthnRequest . IMHO doing so goes against the principles of SAML2 as that expects the Idp to only use a password when authenticating. Normally the Idp may use any means it finds suitable to confirm the identity of the subject. That could be a password, but also a certificate or a one time pad exchange over SMS. Or something else - it's up to the Idp.

That said, there is an <Extensions> element in the <AuthnRequest> that could be used to carry a password. Doing so would require careful security considerations as the AuthnRequest contents are not designed to be kept secret. If using the Http Redirect binding the contents are logged in a web server and visible in browser history. If using the Http POST binding the password is still visible to the browser. I would suggest using the SOAP or Artifact binding to make sure the data is transferred directly from the SP to the Idp. Note however that those bindings have considerable less support in frameworks.