I'm an SSO neophyte so apologies if I get things a little confused here. Big picture: we have a website (an SP). And we're using Auth0 as our IdP (with a custom DB for authentication). It's working but I have some questions.
I've created an Application in Auth0 that "represents" the website. Is this considered part of the IdP or is this better described as registering the website (an SP) with the IdP?
I've also created an API that "represents" the website (specifically, just the backend I guess. But it's a Drupal website and doesn't really have an API). Same question. Is this where I'm telling the IdP about the website (SP)? Why is there an Application and an API?
Where do I tell Auth0 what the EntityId of the SP is? From what I've read, this is important. But I have not found where to enter this info into Auth0 and everything seems to be working, so I'm not sure how important it actually it.
Thanks in advance!
I've created an Application in Auth0 that "represents" the website. Is this considered part of the IdP or is this better described as registering the website (an SP) with the IdP?
Creating an "Application" is registering an SP with the IdP.
It seems that in Auth0, you always start by registering an OIDC SP, ignoring all the OAuth/OIDC parameters like client_secret, and then enable the SAML "addon".
I've also created an API that "represents" the website (specifically, just the backend I guess. But it's a Drupal website and doesn't really have an API). Same question. Is this where I'm telling the IdP about the website (SP)? Why is there an Application and an API?
That's not part of SAML. That's an IdP management API. Your website could use this API to add user accounts to the IdP from your custom "signup" flow, for example, but it is not acting as a SAML SP in that case.
Where do I tell Auth0 what the EntityId of the SP is?
From what I could find in the docs, it seems that Auth0 doesn't need to use the entityID to distinguish between SPs, instead it generates unique IdP SingleSignOnService URLs to distinguish each "application". So it simply takes whatever entityID from the received SAML AuthnRequest and copies it back to the response. (You can still customize that by editing the JSON "audience" under Addons>SAML; here again they're using OIDC terminology.)
In traditional SAML IdPs, the SP entityID is important because the exact same IdP metadata is distributed to all clients (possibly even as part of a big "federation" metadata bundle), so every SP sends AuthnRequests to the exact same IdP endpoint and the IdP uses the entityID to distinguish them, just like an OIDC IdP would use client_id. So generally you would be asked to specify the SP's entityID as the first thing when registering the "application".
But Auth0 does not work that way, it seems to focus entirely on the 'internal IdP for commercial webapp' use case (i.e. not aiming to support SAML federation at all), so instead it creates a whole new "virtual IdP" for each SP – and the entityID becomes unnecessary.