Each different type of security information that SAML can express could be generated by a different authority. The conceptual model for SAML defines three separate authorities:
Figure 4 is a high-level diagram produced by the OASIS working group that illustrates the flow of information between these different authorities. Taken as a whole, the separate authorities can work together to provide a complete security infrastructure.Figure 4
The model shows only a conceptual view of how a system could be put together. Each of the three authorities is not independent; each relies on other parts of the system to do its job. The authentication authority requires a credentials collector to provide it with authentication information. This could come in the form of a password login, a smart card, biometric, or a SAML authentication assertion produced by another authentication authority. The attribute authority relies on the authentication authority to provide it with authentication information so that it can retrieve attributes for the appropriate entity or user. The attribute authority must know that the entity requesting the attribute has been authenticated to the system. The authorization authority or PDP relies upon authentication and attribute information in order to make its authorization decisions. The authorities are distinct and separate entities. Each part of the system has different roles, yet they could all be contained in a single service.