When a user asks to connect to a SAML-enabled web application in the Admin Portal, the traditional SAML roles are these:
- The principal is the user, who’s already been authenticated in the Admin Portal through the Privileged Access Service. The principal is using a web browser (connected to the Admin Portal) or the mobile application as his user agent to request a web application connection.
- The identity provider is the Privileged Access Service, which provides a SAML assertion that presents the user as an authenticated principal.
- The service provider is the web application host that receives the SAML assertion and decides whether or not to grant resource access to the principal (the user).