SAML Entities

The SAML protocol defines a number of roles. In the Grid, the ones we refer to are the following:

  • Service Provider (SP) – This is the role of the SAML Session Provider/Grid. Grid applications provide services that require authentication, and the SAML Session Provider initiates the authentication using the SAML protocol. In AD FS, the Service Provider is called a Relying Party Trust (RPT).

  • Identity Provider (IdP) – This is the role of the entity that is responsible for handling authentication against the user repository. In on-premise environments, AD FS (Active Directory Federation Services, a Microsoft product) has the role of the Identity Provider.

  • Claims Provider – This is the role of IFS (Infor Federation Services), which is part of LTR or Infor OS. After a successful authentication, AD FS retrieves additional attributes for the user from IFS, in particular Security Roles, which are maintained in IFS. In the SAML standard, the attributes are called claims. Claims may also come from other stores, for example attributes from the AD. All the claims for a user are included in the authentication response, returned from AD FS to the SAML Session Provider when the user has been authenticated.