Common SAML Terms Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a000000bndssai&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fcommon-saml-terms
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Average Rating:
Common SAML Terms
Published: May 16, 2017   -   Updated: May 23, 2017


Click here for the Beginner's Guide To SAML


Some common SAML terms:

Assertion: data provided by the IdP that supplies one or more of the following statements to a service provider:

  • Authentication statements assert that the user specified in the assertion actually did authenticate successfully, and what time they did so.
  • Attributestatements supply attribute values pertaining to the user.  The NameID attribute is required and specifies the username, but other attributes can be manually configured as well.
  • Authorization decision statements declare that a request to allow the assertion subject to access the specified resource has been granted or denied

Assertion Consumer Service (ACS): the service provider's endpoint (URL) that is responsible for receiving and parsing a SAML assertion.  Keep in mind that some service providers use a different term for the ACS.  In the Okta SAML template, this is entered in the Single Sign On URL field.

Attribute: a set of data about a user, such as username, first name, employee ID, etc

Audience Restriction: a value within the SAML assertion that specifies who (and only who) the assertion is intended for.  The "audience" will be the service provider and is typically a URL but can technically be formatted as any string of data.  If this value is not provided by the SP, try using the ACS

Default Relay State: the URL that users will be directed to after a successful authentication through SAML.

Endpoint: the URL's that are used when Service Providers and Identity Providers communicate to one another.

Entity ID: a globally unique name for an Identity Provider or a Service Provider.  A unique Okta Entity ID is generated for each application, and is referred to as the Identity Provider Issuer in the Okta application's Setup Instructions.

Identity Provider (IdP): the authority that verifies and asserts a user's identity and access to a requested resource (the "Service Provider")

Metadata: a set of information supplied by the IdP to the SP, and/or vice versa, in xml format.

  • SP supplied metadata will typically provide the ACS, the Audience Restriction, the NameID format, and an x.509 certificate if the assertion needs to be encrypted.  At this time, SP-supplied metadata files cannot be imported into Okta.
  • IdP supplied metadata will provide the Single Sign On URL, the Entity ID and the x.509 certificate file required by the SP to decrypt the assertion.

NameID: an attribute within the assertion that is used to specify the username

Service Provider (SP): the hosted resource or service that the user intends to access, such as Box, Workday, Salesforce, a custom application, etc.

Single Sign On URL: the endpoint that is dedicated to handling SAML transactions.  In the Okta SAML template setup screen, the SSO URL refers to the service provider's ACS.

Post a Comment