How does the saml IDP / SP work with auth0?

Question

I am trying to understand SAML and the IDP / SP model by following this auth0 tutorial.

https://auth0.com/docs/protocols/saml/samlsso-auth0-to-auth0

In this tutorial you create two auth0 tenants.

The first tenant (tenant 1) is the service provider, the second (tenant 2) is the identity provider.

In the section where we setup the second tenant I am having trouble understanding what is described in this line:

In this section you will configure one Auth0 tenant (tenant 2) to serve as an Identity Provider. You will do this by registering an application, but in this case, the 'application' you register is really a representation of tenant 1, the SAML Service Provider.

I'm confused about this because I thought the service provider is essentially a wrapper for all of the different applications you need to access through the IDP. So in my interpretation, I would think the application we create would exist inside the first tenant.

Would someone explain why in this example we set up the IDP to contain the application and how it is a representation of the service provider (tenant 1)?

Answer 1

Agree this article is somewhat confusing.

The key is "In this step, you will test your sample HTML application that uses the Auth0 SAML connection you set up in Tenant 1 to perform SSO via SAML against Tenant 2, serving as the SAML Identity Provider."

In SAML, there are two kinds of SP.

An SP can be an application so the path would be:

Application --> SAML IDP

or you can have an SP-STS (Security Token Service) i.e. an intermediate IDP acting as an SP.

Here the path is:

Application --> SAML SP --> SAML IDP

Basically, the SAML SP is just pass-through.

Normally what happens is that when you authenticate, the application redirects to the STS. You can authenticate here. However, if this STS knows that there is another STS upstream it will ask you via Home Realm Discovery which STS you want to use.