Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m researching SSO technologies, particularly SAML 2.0, and I see there’s operational modes for IdP, IdP Lite, SP, and SP Lite. The only reference I can find to these “lite” modes are in the conformance portion on the SAML 2.0 spec.
Is the only difference between the full version and the light version is that the “lite” version is a subset of the full? What are the key features that one would be missing if they went with the lite version?
IdP Lite and SP Lite are indeed a subset of IdP and SP.
The main difference is lack of support for “Managed Name Identifiers” (sometimes referred to as “persistent identifiers”). They are anonymous IDs that are dynamically created and agreed upon between IdP and SP for user identification. There are a set of messages dedicated to establishing these identifiers, maintaining them and revoking them. See Section 3.6 in SAML 2.0 core – the NameID format is “urn:oasis:names:tc:SAML:2.0:nameid-format:persistent”.
Many SAML 2 deployments don’t leverage them – so simplifying it conformance wise makes a lot of sense.
Some other less used parts of “full” conformance (like unusual bindings such as SLO over SOAP) have also been made OPTIONAL.