Glossary

A collection of useful terms used throughout the cookbook and more widely when working with SAML.

Basic Terms

Identity Provider

A tool that performs authentication. Shibboleth IdP and SimpleSAMLphp are identity providers.

This is frequently abbreviated to IdP.

Service Provider

A service that gets user information from the IdP and performs authorization. The examples in this repository are all service providers.

This is frequently abbreviated to SP.

Relying Party

A synonym for Service Provider.

This is sometimes abbreviated to RP.

Metadata

An XML configuration document with a strict format. Both the IdP and SP can generate metadata. Metadata can contain entries such as:

  • Entity Id

  • SSO Endpoint/ACS Endpoint

  • Description

  • Supported encryption/signing methods

SP Metadata URL Example:

https://app.service.com/saml2/metadata

IdP Metadata URL Example:

https://login.rit.edu/saml2/metadata

Entity Id

A globally-unique URI (Uniform Resource Identifier) used to identify an IdP or SP. You should generate a new entity id for every environment (dev, test, stage, production) as well as every service.

SP Entity Id Example:

https://app.service.com/saml2

IdP Entity Id Example:

https://login.rit.edu/saml2

SSO Endpoint

The IdP single sign-on endpoint. This is where the SP sends the user during login. This information can be found in your IdP metadata

IdP SSO Endpoint Example:

https://login.rit.edu/saml2/redirect/sso

ACS Endpoint

The SP assertion consuming service. This is where the IdP sends the user after authentication and attribute filtering happens.

SP ACS Endpoint Example:

https://app.service.com/saml2/acs

Signing/Encryption

Messages sent to the IdP and SP can be encrypted (to secure data) and signed (to verify data hasn’t been tampered with). By default, messages sent from the IdP to the ACS should be encrypted and signed.

Advanced Terms

Subject

A subject is a grouping of related information for a single entity, including the identity. An example of a subject is a person with example attributes height, eye color, birthday, name, social security number.

Principal

A principal is an identifier for a Subject. A person’s principal could be something like their driver’s license number, social security number, or an email.