This site reflects work in progress.

SAML is an XML format to pass around information about authorisations and, as need be, authentications. Such statements are usually signed, using the XML signing standards.

XML signing is cheered upon by people who think XML is a solution for everything; it is frowned upon by engineers who know it is just a syntax and especially by cryptographers who tend to consider the XML signing standard as too frivolous, with a zeal of formatting and transformational options. In general, a good implementation of XML signing is complex to make, especially if the requirement is to achieve a high level of security.

Having said that, SAML is quickly emerging as a communication standard for authorisation statements, and especially so in the field of attribute-based decisions; for instance, you don't pass your birth date to a server, but rather the fact that you are eligable for the service you are requesting. The decision may be made by an intermediate party who sees the birth date but won't pass it on but instead evaluate the constraints as posed by the service.

The tricky thing is to achieve both a standard for expressing the things that SAML can offer, so that any site can use it from any asserter, and to establish a trust mechanism between parties that assert and services that use the outcome; the last part can be difficult to establish outside of federative contexts, for instance on the Internet in general.

SAML assertions are commonly passed over HTTP in query strings, but they may also be passed over other means, such as Moonshot.