single-sign-onsamlidentity-management

IdP Vs Authoritative Source Vs SAML Vs SSO in IAM


Could someone please help me to understand the difference among the following entities in IAM with real word examples.

  1. IdP
  2. Authoritative Source
  3. SSO
  4. SAML
  5. OAuth

Thanks


Solution

  • An IdP is an Authoritative Source of identities for an organisation. An entity outwith the organisation can allow identities provided by the IdP to login to its resources, for example ebooks. The IdP can choose to use SSO, which means the identities (i.e. the users) only need to provide their credentials once (username/password for example) for as long as an SSO session lasts, for example 24 hours.

    In order for an external resource provider such as an ebook provider to request that identities (i.e. users) be identified at login, it can ask the IdP to release information about those identities using either SAML or OAuth2.

    The IdP and external resource provider can have SSO independent of each other. A typical flow might be:

    1. User goes to https://someebooks.com
    2. someebooks.com sends the user to their IdP along with SAML requesting the user be authenticated by the IdP.
    3. The IdP authenticates the user and sets up an SSO session for them
    4. The IdP sends the user back to someebooks.com with some SAML containing information about the user.
    5. someebooks.com allows the user to access the ebooks and sets up its own SSO session for the user.
    6. if the someebooks.com SSO session finishes, go back to step 2.
    7. the user decides to go to https://morebooks.com which sends them to their IdP. As they already have an IdP SSO session from step 3, they don't need to login again.
    8. The IdP sends the user to morebooks.com with information about them in SAML.

    The flow is similar for OAuth2. It uses different tokens from SAML. Both are a way of requesting that an identity (user) be authenticated by its Authoritative Source and that the Authoritative Source release information about the user.

    OAuth2 uses a token released by the IdP to allow, for example, someebooks.com to directly request information about the user from the IdP. It's more complex than SAML.

    Information about the user might be a course enrolment. e.g. they are studying a medical degree. An ebook provider may only be prepared to allow access to its ebooks to medical students. The information in the SAML or OAuth2 response from the IdP (step 4) may include this information, if they are studying for a medical degree. The IdP knows this as it is the Authoritative Source for the user.

    In summary, the IdP AUTHENTICATES the user and the result is sent to the resource provider which AUTHORIZES the user based on information about the user the IdP sends to it (SAML) or based on information is asks the IdP to release about the user (OAuth2).