Glossary of SAML Related Terms

A service that provides attributes about entities Usually part of the IdP, but standalone is possible
LDAP is Stanford’s most common Attribute Authority

A named set of data about an entity (person or user)
Names are often based on directory attributes
Values are controlled by organizations
Federations may define common attributes
InCommon uses the eduPerson schema for interop

Usually used by organizational identity providers
Values provided by the organization; mostly verified
Example: Stanford asserts that
my preferred name is Jane Stanford
my email address is mrsstanford@stanford.edu

Usually used by social identity providers Values often provided by the person; mostly unverified
Example: I claim that
my name is Jane Stanford
my email address is mrsstanford@stanford.edu

Stanford’s local federation
https://shibboleth.stanford.edu/
A few IdPs (Stanford, SHC, SMCH)
Local SPs
“non-federated” SPs

A collection of organizations which:
May share policies and practices
Usually share metadata about IdPs and SPs
Federations often sign this metadata
Federation solves the problem of metadata discovery

A Service that provides identity information
Usually about people Not always the authentication service Historically also known as the “origin”
WebLogin is Stanford”s most common Identity Provider

The US Higher Education Federation
https://incommon.org/
Metadata merged with eduGAIN (European federation)
IdPs need to opt out
Sis need to opt in
Over 1,800 IdPs
Over 400 US IdPs (out of ~1,400 .edu institutions)
Over 5,000 SPs
Over 2,600 US SPs
including non-edu providers, such as Box

Another name for Service Provider
RPs “rely” on IdPs

Usually a web application Uses an IdP to authenticate people
Uses an AA to get information about people