The Identity Provider (IdP) holds the identity and authenticates the user! • The Service Providers (SP) consume the IdP’s assertions to allow users access! • All happens in the browser
• Useful when you don’t want to have to join servers to existing directories! • Useful for enterprises - many SaaS products now offer SAML on their higher level plans
only discover new users when they first sign in! • It uses XML (yuk)! • System clocks of SPs and IdPs have to match within a defined time range (~2 sec) to protect against replay attacks! • You can encode attributes in the SAML package to send from the IdP to the SP
with most IdPs ruby-‐saml • You can get it working with the free OneLogin IdP service! • You may want to use encoded attributes to set permission group levels
You can integrate it pretty easily with an identity store such as Devise! • We’ve used this combination to create a production IdP https://account.amc.org.au/! • We also added an assume user function which is super handy for support