SAML terms and definitions

artifact, SAML

A SAML artifact is a unique identifier used to pass a SAML assertion from the identity provider (IDP) to the service provider (SP) by reference. It is used in the SAML artifact binding protocol.

assertion, SAML

A SAML assertion is a cryptographically secure XML structure bearing identity information. It is issued by the SAML identity provider (IDP) and transmitted to the SAML service provider (SP).

AuthnRequest, SAML

AuthnRequests are used in the SAML single sign-on protocol. AuthnRequests are sent by the SAML service provider (SP) to the SAML identity provider (IDP) to request the IDP to authenticate an end-user.

circle of trust, CoT, SAML

The term circle of trust (CoT) is used in the SAML protocol to group one or more identity providers (IDPs) and service providers (SPs) that share authentication information.

identity provider, IDP

An identity provider is a service that maintains and manages identity information and provides information about users and authentication to other systems. Airlock IAM is the recommended IDP for other components of the Airlock Secure Access Hub and other services.

IDP-initiated SSO, SAML

An IDP-initiated single sign-on is a SAML sign-in flow that is triggered by the identity provider (IDP) rather than the service provider (SP).

RelayState, SAML

A SAML RelayState is a parameter that can be attached to a SAML request or response. It is used to transport additional state information from the SAML service provider (SP) to the SAML identity provider (IDP) and back again to the SP.

The IDP receives the RelayState parameter and sends it back to the SP. The RelayState is typically used to associate the initially requested URL with the SAML sign-in process so the SP can use the information after login.


The scope is the list of permissions the resource owner is asked for consent to allow a client (application) to access information stored on a resource server.

service provider, SP

A service provider (or SP) is an entity receiving identity information from an identity provider (or IDP). The term service provider is especially used in SAML. In OAuth and OIDC, the terms client and relying party are used instead,

SP-initiated SSO, SAML

An SP-initiated single sign-on is a SAML sign-in flow that is triggered by the service provider (SP). When trying to access a protected resource on the SP, the SP redirects the end-user's browser to the IDP for authentication.

single logout (SLO), SAML

SAML single logout (SLO) is a SAML flow that allows users to log out from all related sessions of a SAML single login.