The Security Assertion Markup Language (SAML) is a protocol used to communicate authentication data between two parties. SAML works really well for server-side applications, providing single sign-on (SSO) across your applications.
Which Side of the Story
There are two sides to the SAML protocol: SAML Identity Provider (IdP) and SAML Service Provider (SP).
- SAML Identity Provider is an entity that issues authentication assertions about a user
- SAML Service Provider is an entity that uses the authentication assertions issued by an identity provider to control access to services
We provide both SAML Service Provider and SAML Identity Provider implementations, allowing you to implement either side of the SSO solution with ease.
SAML Identity Provider
As a SAML Identity Provider, you can allow legacy SAML applications to log in using your IdentityServer. In this role, you’ll have IdentityServer acting in its traditional role as an authorization server/identity provider.
Using our SAML component with an OpenID Connect (OIDC) provider such as IdentityServer4 and Duende IdentityServer, you can use both OIDC and our SAML component to implement a cross-protocol SSO. This allows some applications to authenticate with your IdentityServer using SAML and others using OIDC. The user gets a single sign-on experience as both protocols use the same SSO session. This means that you can authenticate users regardless of the requesting application type and support legacy server-side applications that use SAML.
All the SAML interactions are abstracted away in the IdentityServer, making the cross-protocol SSO seamless.
SAML Service Provider
As a SAML Service Provider, you can federate with external SAML identity providers. You can use this side of the component directly inside your ASP.NET Core application or use it within your IdentityServer.
In this role, you will have your application using an external identity provider for logins, much in the same way you would offer functionality such as “login using Google”. The external service holds the credentials, and you send them SAML requests.
Again, when using your IdentityServer as the SAML SP, all the SAML interactions are abstracted away in IdentityServer.
Acting as both SP and IdP
You can also combine the two approaches and act as both SAML Service Provider and SAML Identity Provider while supporting other protocols such as OpenID Connect and OAuth.