Each different type of security information that SAML can express could be generated by a different authority. The conceptual model for SAML defines three separate authorities:
Authentication Authority: Produces authentication information.
Attribute Authority: Provides attribute information, and is analogous to the XACML PIP.
Authorization Authority or Policy Decision Point (PDP): Provides authorization decision information and is analogous to the SACML PDP.
Figure 4 is a high-level diagram produced by the OASIS working group that illustrates the flow of information between these different authorities. Taken as a whole, the separate authorities can work together to provide a complete security infrastructure.
Figure 4The model shows only a conceptual view of how a system could be put together. Each of the three authorities is not independent; each relies on other parts of the system to do its job. The authentication authority requires a credentials collector to provide it with authentication information. This could come in the form of a password login, a smart card, biometric, or a SAML authentication assertion produced by another authentication authority. The attribute authority relies on the authentication authority to provide it with authentication information so that it can retrieve attributes for the appropriate entity or user. The attribute authority must know that the entity requesting the attribute has been authenticated to the system. The authorization authority or PDP relies upon authentication and attribute information in order to make its authorization decisions. The authorities are distinct and separate entities. Each part of the system has different roles, yet they could all be contained in a single service.