I hope this post help clarify how SAML works. SAML is everywhere nowadays, which means it’s used a lot for many scenarios and applications. My example is with Palo Alto Global protect, but there’s not much difference when using it for something like Office365 web apps.

Service Provider (SP) – Palo Alto Networks Firewall
Identity Provider (IdP) – Okta
Application – GlobalProtect VPN App


  • A Service Provider (SP) is the entity providing the service, typically in the form of an application.
  • An Identity Provider (IdP) is the entity providing the identities, including the ability to authenticate a user. The Identity Provider typically also contains the user profile: additional information about the user such as first name, last name, job code, phone number, address, and so on. Depending on the application, some service providers may require a very simple profile (username, email), while others may require a richer set of user data (job code, department, address, location, manager, and so on).
  • A SAML Request, also known as an authentication request, is generated by the Service Provider to “request” an authentication.
  • A SAML Response is generated by the Identity Provider. It contains the actual assertion of the authenticated user. In addition, a SAML Response may contain additional information, such as user profile information and group/role information, depending on what the Service Provider can support.
  • A Service Provider Initiated (SP-initiated) sign-in describes the SAML sign-in flow when initiated by the Service Provider. This is typically triggered when the end user tries to access a resource or sign in directly on the Service Provider side, such as when the browser tries to access a protected resource on the Service Provider side.
  • An Identity Provider Initiated (IdP-initiated) sign-in describes the SAML sign-in flow initiated by the Identity Provider. Instead of the SAML flow being triggered by a redirection from the Service Provider, in this flow the Identity Provider initiates a SAML Response that is redirected to the Service Provider to assert the user’s identity.


SAML assertions are the messages exchanged between an identity provider (IdP) and service provider (SP) that confidentially identify who a user is, what pertinent information exists, and what they’re authorized or entitled to access.