SAML Blog Series (Part 2): Intermediate Guide

Overview

Deep dive into:

Service Provider (SP)
Identity Provider (IdP)
Sessions and storage

SP Architecture

+--------+
| User   |
+---+----+
    |
    | Request
    v
+----------------------+
| Service Provider     |
| - Session check      |
| - AuthnRequest       |
+----------+-----------+
           |
           v
+----------------------+
| Identity Provider     |
+----------+-----------+
           |
           | SAML Response
           v
+----------------------+
| SP Validation Layer   |
| - Signature check     |
| - Claims validation   |
+----------+-----------+
           |
           v
+----------------------+
| SP Session Store      |
+----------------------+

SP Stores

Session ID
User identity
Roles
Expiry

Stored in Redis / DB / memory.

SP Session

Independent of SAML
Used for every request
Has own timeout rules

IdP Flow

User Login
   |
   v
Authenticate User
   |
   v
IdP Session Created
   |
   v
Signed SAML Assertion

IdP Stores

SSO session
Signing keys
User attributes

Key Insight

SP = Application access
IdP = Identity
SAML = Bridge