https://developer.okta.com/docs/concepts/saml/
- The cast of Characters(Terminology)
- The Principal: the user trying to log in
- Identity Provider(IdP): The "Source of Truth", this is the system that knows the user's password and verifies who they are(e.g. Okta, Azure AD)
- Service Provider(SP): The application the user want to use(the app you are building)
- The "Digital Badge" Concept(The Role)
- IdP = the passport Office: by check your birth certificate and ID to prove you are you, then give you the passport
- Assertion = Passport: A signed document that says "We trust this person is Maggie Ma"
- SP = the TSA/Borading Gate. they don't check your birth certificate, they just looked at your passport, if the passport has the digital signature, they will let you in
3: Steps(with pictured workflow)
Note:
the metadata is preset(the instruction manual) before anayone logs in, is the rule of the game, including yje SSO Url(App to Okta), ACS Url(Oktaa to app), Entity ID and the cert
Assertion is the passport, uses during runtime, is an XML contains the user's name, emails timestamp, etc. and is signed by Okta using the key in metadata. and the assertion is sent with the ACS Url
once the app get the assertion, it checks the signature using metadata from the Public key from metadata
Top comments (1)
awesome