Click here for the Beginner's Guide To SAML
Some common SAML terms:
Assertion: data provided by the IdP that supplies one or more of the following statements to a service provider:
- Authentication statements assert that the user specified in the assertion actually did authenticate successfully, and what time they did so.
- Attributestatements supply attribute values pertaining to the user. The NameID attribute is required and specifies the username, but other attributes can be manually configured as well.
- Authorization decision statements declare that a request to allow the assertion subject to access the specified resource has been granted or denied
Assertion Consumer Service (ACS): the service provider's endpoint (URL) that is responsible for receiving and parsing a SAML assertion. Keep in mind that some service providers use a different term for the ACS. In the Okta SAML template, this is entered in the Single Sign On URL field.
Attribute: a set of data about a user, such as username, first name, employee ID, etc
Audience Restriction: a value within the SAML assertion that specifies who (and only who) the assertion is intended for. The "audience" will be the service provider and is typically a URL but can technically be formatted as any string of data. If this value is not provided by the SP, try using the ACS
Default Relay State: the URL that users will be directed to after a successful authentication through SAML.
Endpoint: the URL's that are used when Service Providers and Identity Providers communicate to one another.
Entity ID: a globally unique name for an Identity Provider or a Service Provider. A unique Okta Entity ID is generated for each application, and is referred to as the Identity Provider Issuer in the Okta application's Setup Instructions.
Identity Provider (IdP): the authority that verifies and asserts a user's identity and access to a requested resource (the "Service Provider")
Metadata: a set of information supplied by the IdP to the SP, and/or vice versa, in xml format.
- SP supplied metadata will typically provide the ACS, the Audience Restriction, the NameID format, and an x.509 certificate if the assertion needs to be encrypted. At this time, SP-supplied metadata files cannot be imported into Okta.
- IdP supplied metadata will provide the Single Sign On URL, the Entity ID and the x.509 certificate file required by the SP to decrypt the assertion.
NameID: an attribute within the assertion that is used to specify the username
Service Provider (SP): the hosted resource or service that the user intends to access, such as Box, Workday, Salesforce, a custom application, etc.
Single Sign On URL: the endpoint that is dedicated to handling SAML transactions. In the Okta SAML template setup screen, the SSO URL refers to the service provider's ACS.