Security Assertion Markup Language (SAML)
- is an XML-based framework for authentication and authorization
- has multiple authentication methods (e.g. Single-Sign-On (SSO) across multiple sites)
Introduction
Authentication Entities
Click here to expand...
Link to originalauthentication/authorization/delegation entities/actors:
Entity/Actor
Description
- Resource Owner (RO)
- End-User
- Principal
the entity that is in control of the data exposed by the API, typically an end-user
- Client
- Relying-Party (RP)
the mobile app, website, etc. that wants to access data on behalf of the Resource Owner
- Authorization/OAuth Server/Service (AS)
- Identity-Provider (IdP)
- OpenID Provider
- a combination or sometimes a separation of:
- Authentication Server - deals with authenticating the End-User
- Security Token Service (STS) or Token Endpoint - issues tokens (e.g. Access Tokens, Refresh Tokens, ID Tokens)
- Resource/UserInfo Server/Provider (RS)
- Service-Provider (SP)
the service/application/resource:
- that exposes the protected resource/API and requires authentication/authorization of any principal wishing to access it
- agrees to trust the Identity-Provider to authenticateClient
NOTE: This 1 of many Grant Flows (above portrays Implicit Flow of OAuth & OpenID Connect)
Authentication Process
The information sent from Identity-Provider to User is known as an assertion.
Flow 1 - Service Provider Initiated (SP-Initiated) SSO
|
|
|
-tokens/saml-flow-diagram.png)
Flow 2 - Identity Provider Initiated (IdP-Initiated) SSO
|
TODO |
see: |