SAML Identity Provider (IdP) is the trusted authority that authenticates users and issues signed SAML assertions to Service Providers. Common IdPs include Okta, Azure AD, OneLogin, and ADFS. Everything a Service Provider trusts rests on the IdP's signing key and on the IdP scoping each assertion to the correct SP.
IdP Responsibilities
- Authenticate users (passwords, MFA)
- Issue signed assertions (see SAML Assertion for structure)
- Apply an attribute-release policy per SP
- Maintain the SSO session and drive Single Logout
Assertion Signing and Key Rotation
The IdP signs assertions with its private key; every SP verifies against the matching certificate published in IdP metadata. Because that key underpins all trust:
- Sign with RSA-SHA256 or stronger and protect the private key in an HSM or KMS.
- Rotate signing keys on a schedule and after any suspected exposure.
- Publish overlapping certificates in metadata during rotation so SPs can verify the old and new key at once, then retire the old one after all SPs refresh. Sign each response with a single key and advertise it via the
<ds:KeyInfo> so SPs pick the right certificate.
Scoping Each Assertion to One SP
The IdP is responsible for setting the fields that stop a valid assertion from being replayed to the wrong SP. These must reflect the SP the user is actually signing in to:
- Audience: set
<saml:Audience> to the target SP's entity ID.
- Recipient: set the SubjectConfirmationData
Recipient to that SP's ACS URL.
- Lifetime: use tight
NotBefore/NotOnOrAfter windows so a captured assertion expires quickly.
A wildcard or overly broad Audience lets any SP that trusts this IdP accept the assertion, which is what makes cross-SP assertion replay possible.
Attribute Release
- Release only the attributes each SP needs, configured per SP rather than globally.
- Use a stable, non-reassignable NameID (persistent or a directory GUID) so an SP cannot inherit another user's account if an email or username is later reused.
Session and Single Logout
- The IdP session length governs silent re-authentication; a long-lived IdP session means an SP re-request can succeed without a fresh login prompt.
- Support Single Logout (SLO) so terminating the IdP session propagates to connected SPs, and sign LogoutRequest/LogoutResponse messages.
See Also