How to Choose a GFIPM Service Provider Product

From GFIPM Implementation Wiki
Jump to: navigation, search
Main Page Up Previous Next


This article lists the requirements for products that may be considered for a GFIPM Service Provider (SP). We also present the list of products of which we have knowledge.

An SP is responsible for managing access to applications, services, and other resources used by federation users. To do this, it relies on Identity Providers (IDP) to assert information about users, leaving the SP to manage access control and dissemination based on the trusted set of attributes it receives for each user. There can be an arbitrary number of SPs in a federation, and each SP can manage an arbitrary number of resources.

An SP handles the management of access to protected resources based on information given to it by an IDP. To perform their respective roles, an IDP and an SP need to communicate with each other, and the standard through which this communication occurs in GFIPM is the Security Assertion Markup Language [SAML2].

SAML was developed by the Organization for the Advancement of Structured Information Standards (OASIS) Security Services Technical Committee (SSTC). It is an XML-based framework for communicating user authentication, entitlement, and attribute information. As its name suggests, SAML allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject (an entity that is often a human user, but may be an application or system) to other entities, such as a partner company or another enterprise application.

A GFIPM SP must meet the following minimum requirements:

  • It must conform to the SAML 2.0 Web Single Sign-On (SSO) Profile [SAML2], including support for both SP-initiated SSO and IDP-initiated SSO.
  • It must be able to discover the user's IDP, by either supporting the OASIS Identity Provider Discovery Service Protocol and Profile or implementing a local IDP Discovery Service at the SP.

An SP product chosen for a GFPIM federation must meet the following minimum requirements:

  • It must be SAML 2.0-compatible.
  • It must implement the Web Single Sign-On (SSO) Profile.
  • It must support SP-initiated Web SSO.
  • It must support parsing and processing of SAML attributes containing GFIPM user metadata.

See [GFIPM U2S Profile] for a thorough, normative specification of the technical requirements that a GFIPM SP must meet.

The following is a non-exhaustive list of products that provide SAML-based Service Provider capabilities. You should evaluate these and other products to determine which product best meets your needs within your budget.


Main Page Up Previous Next
Retrieved from "https://impl.gfipm.net/mwiki/index.php?title=How_to_Choose_a_GFIPM_Service_Provider_Product&oldid=1060"