Security Glossary

SAML Identity Provider (IdP)

The trusted authority that authenticates users and issues SAML assertions to service providers in a single sign-on system.

SAML Identity Provider (IdP) is the trusted authority that authenticates users and issues signed SAML assertions to Service Providers. Common IdPs include Okta, Azure AD, OneLogin, and ADFS.

IdP Responsibilities

  • Authenticate users (passwords, MFA, etc.)
  • Maintain user directory/attributes
  • Generate and sign SAML assertions
  • Handle single sign-on requests from SPs
  • Manage single logout

IdP-Initiated Flow

// User logs into IdP portal
POST /login
username=user&password=secret

// User clicks on application tile
// IdP generates assertion without prior SP request
POST https://sp.example.com/saml/acs
SAMLResponse=PHNhbWxwOlJlc3Bvb...

Assertion Generation

<saml:Assertion>
  <saml:Issuer>https://idp.example.com</saml:Issuer>
  <ds:Signature>
    <!-- Signed with IdP's private key -->
  </ds:Signature>
  <saml:Subject>
    <saml:NameID Format="emailAddress">
      user@example.com
    </saml:NameID>
  </saml:Subject>
  <saml:AttributeStatement>
    <saml:Attribute Name="role">
      <saml:AttributeValue>admin</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>

Security Considerations

  • Protect private signing key
  • Use strong signature algorithms (RSA-SHA256+)
  • Include proper time constraints in assertions
  • Validate SP metadata before trust

See Also