How does processing a SAML assertion work?

I need to be the service provider in a SAML solution and want to know how the processing of assertions work. I could not find the answer here.

I imagine the assertion would say something like: "I'm John Doe, My ID is: 999"? Do i need an User list that is "in Syn开发者_JAVA技巧c" with the identity provider? Do i need an Access Control list has the same ID's as the SAML Assertions?

Scenario: I have a database with ACL's. I will be the Service Provider while a remote 3rd party system will be the identity provider.

I don't understand how a remote system would know what users i have in my Access Control lists to be able to authorize anyone.

The mapping between user ids at the IdP and users at the SP is not covered by the SAML spec itself. I'd suggest you look at section 5.4, "Establishing and Managing Federated Identities", in SAMLOverview. That should help you determine the most appropriate approach for your scenario.

For the system I work on (which serves as SP for multiple clients/IdPs), we have a mechanism by which clients can associate their own identifiers with users on our system; this mechanism is outside of the SAML implementation. When clients send us SAML assertions, we expect those assertions to identify users using those identifiers (as well as identifying the client themselves using another shared identifier).