The SAML specification defines three roles:
The principal (typically a user)
The Identity Provider (IdP)
The service Provider (SP)
In the use case addressed by SAML, the principal requests a service from the service provider. The service provider requests and obtains an identity assertion from the identity provider. On the basis of this assertion, the service provider can make an access control decision - in other words it can decide whether to perform some service for the connected principal.