SAML Identity Provider (IdP)

SAML Identity Provider (IdP) is the trusted authority that authenticates users and issues signed SAML assertions to Service Providers. Common IdPs include Okta, Azure AD, OneLogin, and ADFS.

IdP Responsibilities

• Authenticate users (passwords, MFA, etc.)
• Maintain user directory/attributes
• Generate and sign SAML assertions
• Handle single sign-on requests from SPs
• Manage single logout

IdP-Initiated Flow

// User logs into IdP portal
POST /login
username=user&password=secret

// User clicks on application tile
// IdP generates assertion without prior SP request
POST https://sp.example.com/saml/acs
SAMLResponse=PHNhbWxwOlJlc3Bvb...

Assertion Generation

<saml:Assertion>
  <saml:Issuer>https://idp.example.com</saml:Issuer>
  <ds:Signature>
    <!-- Signed with IdP's private key -->
  </ds:Signature>
  <saml:Subject>
    <saml:NameID Format="emailAddress">
      user@example.com
    </saml:NameID>
  </saml:Subject>
  <saml:AttributeStatement>
    <saml:Attribute Name="role">
      <saml:AttributeValue>admin</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>

Security Considerations

• Protect private signing key
• Use strong signature algorithms (RSA-SHA256+)
• Include proper time constraints in assertions
• Validate SP metadata before trust

See Also

• SAML
• SAML Service Provider (SP)
• SAML Assertion