SAML Protocol Terminologies

Assertion: Refers to the SAML assertion (SAML token/response). It is an XML document returned by the Identity Provider to the Service Provider after authenticating the user. The assertion contains specific user information and is digitally signed, confirming the user’s authentication.

Assertion Consumer Service (ACS) endpoint: This is the endpoint where the Service Provider receives SAML assertions issued by the Identity Provider. It can be either the <Response> message if using HTTP POST or an artifact if using HTTP Artifact.

Artifact: A SAML Artifact is a unique ID used by the Service Provider and Identity Provider to reference a specific user session or transaction. It is particularly useful when the SAML requester and responder use HTTP User-Agent and prefer not to transmit the entire message.

Artifact Resolution Service (ARS): A service required to use the HTTP Artifact binding for single sign-on SAML response messages. The ARS, located on the Identity Provider side, allows retrieval of the full message using the artifact.

Attributes: One or more values used to identify users with the Identity Provider. Examples include firstname, lastname, email address, username, and password.

Base URL: The foundational URL for your implementation, in the format: {protocol_scheme}://{host}:{port}. It serves as the container address where the SAML Web SSO feature is initialized and where the OAuth Provider feature is running.

Some Identity Providers send error messages to the default URL specified in the Service Provider metadata file instead of the specific URL where the error occurred. To handle this, the platform constructs a default endpoint using the base URL for your implementation.

Entity ID: A unique identifier for a SAML entity, which can be either a Service Provider or an Identity Provider. As a Service Provider, you define your Entity ID and specify it when setting up your account with the Identity Provider.

The Entity ID is used as the value of the <Issuer> element in the SAML protocol message. In an authentication request, it represents the Service Provider, and in the SAML response, it represents the Identity Provider. From the Service Provider’s perspective, the Entity ID is similar to the client_id in OAuth.

HTTP Artifact: A binding option in the SAML protocol where the SAML requester and responder use a SAML Artifact, a unique ID, instead of transmitting the entire message. The Identity Provider can use this Artifact to retrieve the complete information.

HTTP POST: Another binding option in the SAML protocol, where the message content is sent as a POST parameter in the payload.

HTTP Redirect: A binding option in the SAML protocol that involves redirecting the user from the Service Provider to the Identity Provider for login and back. It requires the User-Agent (usually a browser) to intervene.

Identity Provider (IdP): The entity responsible for verifying the identity of users in response to a request from the Service Provider. It authenticates the user’s identity based on credentials such as username and password.

IdP (Abbreviation for Identity Provider): Short form for Identity Provider.

SAML: Acronym for Security Assertion Markup Language. It is an XML-based identity federation standard facilitating single sign-on. SAML enables the exchange of authentication and authorization data between a Service Provider and an Identity Provider.

SAML Web SSO: Single sign-on over the Web using the SAML Web Browser SSO Profile. It enables users to sign in once for multiple systems instead of logging in separately to each one.

Service Provider (SP): In the context of SAML, the Service Provider offers services to users and allows them to sign in using SAML. When a user attempts to sign in, the SP sends a SAML authentication request to the Identity Provider, which validates the request, authenticates the user, and creates a SAML assertion representing the user’s identity.

SSO (Abbreviation for single sign-on): A feature that allows users to sign in once and access multiple systems without signing in separately to each one. The Service Provider uses an Identity Provider to verify the user’s identity.

SP (Abbreviation for Service Provider): Short form for Service Provider.