Identity provider (SAML)

A SAML identity provider is a system entity that issues authentication assertions in conjunction with a single sign-on (SSO) profile of the Security Assertion Markup Language (SAML).

In the SAML domain model, a SAML authority is any system entity that issues SAML assertions.[OS 1] Two important examples of SAML authorities are the authentication authority and the attribute authority.

Definition

A SAML authentication authority is a system entity that produces SAML authentication assertions. Likewise a SAML attribute authority is a system entity that produces SAML attribute assertions.

A SAML authentication authority that participates in one or more SSO Profiles of SAML[OS 2] is called a SAML identity provider (or simply identity provider if the domain is understood). For example, an authentication authority that participates in SAML Web Browser SSO is an identity provider that performs the following essential tasks:

  1. receives a SAML authentication request from a relying party via a web browser
  2. authenticates the browser user principal
  3. responds to the relying party with a SAML authentication assertion for the principal

In the previous example, the relying party that receives and accepts the authentication assertion is called a SAML service provider.

A given SAML identity provider is described by an <md:IDPSSODescriptor> element defined by the SAML metadata schema.[OS 3] Likewise a SAML service provider is described by an <md:SPSSODescriptor> metadata element.

In addition to an authentication assertion, a SAML identity provider may also include an attribute assertion in the response. In that case, the identity provider functions as both an authentication authority and an attribute authority.

gollark: I assumed "proxy auth" was just routing it through something which served as a HTTP proxy and also checked the authentication stuff.
gollark: Oh, this is also helpful, nginx can do authentication using an external HTTP server.
gollark: It looks like miniflux might support OAuth, actually, which is helpful.
gollark: I have a wide range of applications installed which support different auth mechanisms because of course, so this might be hard.
gollark: It *would* probably work.

See also

References

  1. J. Hodges et al. Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005. Document identifier: saml-glossary-2.0-os http://docs.oasis-open.org/security/saml/v2.0/saml-glossary-2.0-os.pdf
  2. J. Hughes et al. Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005. Document identifier: saml-profiles-2.0-os http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf (for the latest working draft of this specification with errata, see: https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf)
  3. Metadata Schema for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005. Document identifier: saml-schema-metadata-2.0 http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.