Common SAML Terms Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Common SAML Terms
Published: May 16, 2017   -   Updated: Jun 22, 2018

Click here for the Beginner's Guide To SAML

Some common SAML terms:

Assertion: data provided by the IdP that supplies one or more of the following statements to a service provider:

  • Authentication statements assert that the user specified in the assertion actually did authenticate successfully, and what time they did so.
  • Attributestatements supply attribute values pertaining to the user.  The NameID attribute is required and specifies the username, but other attributes can be manually configured as well.
  • Authorization decision statements declare that a request to allow the assertion subject to access the specified resource has been granted or denied

Assertion Consumer Service (ACS): the service provider's endpoint (URL) that is responsible for receiving and parsing a SAML assertion.  Keep in mind that some service providers use a different term for the ACS.  In the Okta SAML template, this is entered in the Single Sign On URL field.

Attribute: a set of data about a user, such as username, first name, employee ID, etc

Audience Restriction: a value within the SAML assertion that specifies who (and only who) the assertion is intended for.  The "audience" will be the service provider and is typically a URL but can technically be formatted as any string of data.  If this value is not provided by the SP, try using the ACS

Default Relay State: the URL that users will be directed to after a successful authentication through SAML.

Endpoint: the URL's that are used when Service Providers and Identity Providers communicate to one another.

Entity ID: a globally unique name for an Identity Provider or a Service Provider.  A unique Okta Entity ID is generated for each application, and is referred to as the Identity Provider Issuer in the Okta application's Setup Instructions.

Identity Provider (IdP): the authority that verifies and asserts a user's identity and access to a requested resource (the "Service Provider")

Metadata: a set of information supplied by the IdP to the SP, and/or vice versa, in xml format.

  • SP supplied metadata will typically provide the ACS, the Audience Restriction, the NameID format, and an x.509 certificate if the assertion needs to be encrypted.  At this time, SP-supplied metadata files cannot be imported into Okta.
  • IdP supplied metadata will provide the Single Sign On URL, the Entity ID and the x.509 certificate file required by the SP to decrypt the assertion.

NameID: an attribute within the assertion that is used to specify the username

Service Provider (SP): the hosted resource or service that the user intends to access, such as Box, Workday, Salesforce, a custom application, etc.

Single Sign On URL: the endpoint that is dedicated to handling SAML transactions.  In the Okta SAML template setup screen, the SSO URL refers to the service provider's ACS.