*
caoyili...@gmail.com <
caoyili...@gmail.com> [2017-10-11 11:12]:
> If I now want to integrate authentication into my own application,
> what should I do if I need to build a separate server as an SP, my
> own application as an IDP?
"IDP" is where people enter their credentials (commonly username and
password, possibly more). You don't want people to enter their
credentials into each service they're using because (1) it's tedious
for users (you can't get SSO), but more importantly (2) each
application then has to be fully trusted to impersonate the user to
any other service (since each application get's the literal username
and password from the user; also storing passwords securely is
rather difficult, judging from the frequency and number of passwords
that get copied/leaked/stolen/etc. from services operating with
multi-million dollar budgets).
So a service (your appliation) is a service, in SAML terms a Service
Provider. Which leaves the IDP (Identity Provider) role to that system
that securely performs authentication and asserts correct and
up-to-date data about the user to the service.
So your service becomes a SAML SP, as per the documentation.
It's easiest to build a new IDP as a separate "application" so no,
your application will not be the IDP.
It may be possible to "turn" an application "into an IDP", but it may
not be a good idea, or may be difficult. An IDP could also "re-use" an
application's database as a user store and possibly authentication
mechanism. That would not make the application "the IDP" (only its
data source, and possibly its registration or user management UI), but
it would blur the lines somewhat.
-peter