Web applications that support SAML can use the Privileged Access Service to securely authenticate users. The Service Provider (SP) is the web application that users request to log in to via the Privileged Access Service (also called the Identity Provider, IdP).
A signing certificate (X.509), establishes a trust relationship between the SP and the IdP. The IdP uses the X.509 certificate to sign the XML and the SP checks the signature that it receives with a certificate it has on file. With that trust relationship in place, the SP consumes the assertion passed to it from the IdP and allows users to authenticate without requiring additional credentials.
Web applications that support SAML authentication offer the following authentication methods:
IdP sends SAML Response to the SP.
The SP sends the SAML Request to the IdP; IdP sends SAML Response to the SP.
- IdP-initiated and SP-initiated
Note: The response is sent to the Assertion Consumer Service (ACS) URL configured during application setup.
In most cases, if you use IdP-initiated SSO, your users can still access the application directly using their user name and password. If you use SP-initiated SSO, your users are redirected to log in directly to the web application. Some applications prevent user name and password logins.
The following diagram illustrates the main differences between IdP-initiated and SP-initiated SSO.