Basics about SAML/SSO with ADLAP

Source: Dev.to

The Cast of Characters (Terminology)

• Principal – the user trying to log in.
• Identity Provider (IdP) – the “source of truth”; the system that knows the user’s password and verifies who they are (e.g., Okta, Azure AD).
• Service Provider (SP) – the application the user wants to use (the app you are building).
• Digital Badge (Role) – the role or attribute assigned to the user.

Analogy

• IdP = Passport Office – checks your birth certificate and ID to prove you are you, then issues a passport.
• Assertion = Passport – a signed document that says “We trust this person is Maggie Ma”.
• SP = TSA / Boarding Gate – does not check your birth certificate; it only looks at the passport. If the passport has a valid digital signature, you are let in.

Steps (with workflow)

Notes

• Metadata is preset (the instruction manual) before anyone logs in. It defines the rules of the game, including the SSO URL (App → Okta), ACS URL (Okta → App), Entity ID, and the certificate.
• Assertion is the passport used at runtime. It is an XML document containing the user’s name, email, timestamp, etc., signed by Okta using the key specified in the metadata. The assertion is sent to the ACS URL.
• When the app receives the assertion, it validates the signature using the public key from the metadata.