new to single sign on and SAML, so I am not sure if I ask this question right suppose as an identity provider, user comes to my site and click on the service provider link. I will then prompt him for userid and password. Suppose he successfully gets authenticated as [email protected]. I will then send that user to the service provider supplying the SAML token. Suppose the service provider expect the user to be user1 instead of [email protected]. Do i need to create some kind of mapping? How would I know what the service provider is expecting, in this case user1 instead of [email protected]? how SAML token is sent to service provider? Is it part of the http header or body? Does the Federated identity manager take care of sending the SAML token and etc?
1 Answers
Prior to any SSO, the IdP and SP organizations will have agreed to what will be sent by the IdP to the SP. Often what is used is the user's email address but it doesn't have to be that. Also, as well as the user's name identifier there's the option of sending additional information in the form of SAML attributes (essentially name/value) in the SAML assertion. If you're supporting multiple SPs then it's quite possible that the information in the SAML assertion will be different for each of these SPs. Once again, the precise details of what to include in the SAML assertion is something that's agreed to by the IdP and SP.
The SAML assertion is sent within a SAML response message. In the vast majority of cases the SAML response is sent using the HTTP-Post binding which means it's sent using an HTTP Post request to the SP. If you're using SAML software it should handle constructing and sending the SAML response.
