Identity provider (SAML)

A SAML identity provider is a system entity that issues authentication assertions in conjunction with a single sign-on (SSO) profile of the Security Assertion Markup Language (SAML).

In the SAML domain model, a SAML authority is any system entity that issues SAML assertions. [OS 1] Two important examples of SAML authorities are the authentication authority and the attribute authority.

Definition

[edit]

A SAML authentication authority is a system entity that produces SAML authentication assertions. Likewise a SAML attribute authority is a system entity that produces SAML attribute assertions.

A SAML authentication authority that participates in one or more SSO Profiles of SAML[OS 2] is called a SAML identity provider (or simply identity provider if the domain is understood). For example, an authentication authority that participates in SAML Web Browser SSO is an identity provider that performs the following essential tasks:

  1. receives a SAML authentication request from a relying on party via a web browser
  2. authenticates the browser user principal
  3. responds to the relying party with a SAML authentication assertion for the principal

In the previous example, the relying on party that receives and accepts the authentication assertion is called a SAML service provider.

A given SAML identity provider is described by an <md:IDPSSODescriptor> element defined by the SAML metadata schema.[OS 3] Likewise, a SAML service provider is described by an <md:SPSSODescriptor> metadata element.

In addition to an authentication assertion, a SAML identity provider may also include an attribute assertion in the response. In that case, the identity provider functions as both an authentication authority and an attribute authority.

See also

[edit]

References

[edit]
  1. ^ J. Hodges et al. Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005. Document identifier: saml-glossary-2.0-os http://docs.oasis-open.org/security/saml/v2.0/saml-glossary-2.0-os.pdf
  2. ^ J. Hughes et al. Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005. Document identifier: saml-profiles-2.0-os http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf (for the latest working draft of this specification with errata, see: https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf)
  3. ^ Metadata Schema for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005. Document identifier: saml-schema-metadata-2.0 http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd