In SAML 2.0, what's the difference between IdP and IdP Lite (light) as well as SP and SP Lite?

Question

I'm researching SSO technologies, particularly SAML 2.0, and I see there's operational modes for IdP, IdP Lite, SP, and SP Lite. The only reference I can find to these "lite" modes are in the conformance portion on the SAML 2.0 spec.

Is the only difference between the full version and the light version is that the "lite" version is a subset of the full? What are the key features that one would be missing if they went with the lite version?

Answer 1

IdP Lite and SP Lite are indeed a subset of IdP and SP.

The main difference is lack of support for "Managed Name Identifiers" (sometimes referred to as "persistent identifiers"). They are anonymous IDs that are dynamically created and agreed upon between IdP and SP for user identification. There are a set of messages dedicated to establishing these identifiers, maintaining them and revoking them. See Section 3.6 in SAML 2.0 core - the NameID format is "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent".

Many SAML 2 deployments don't leverage them - so simplifying it conformance wise makes a lot of sense.

Some other less used parts of "full" conformance (like unusual bindings such as SLO over SOAP) have also been made OPTIONAL.

Answer 2

A somewhat more cynical answer: there were a lot of arguments over what features to toss out and still be able to claim conformance, and there was very little experience with what features were important or not. The conformance spec from 2005 is a very old set of views on that question, and it doesn't bear much connection to reality in 2012. Some features that were "required" are never used, and some that were optional are critical in a robust implementation that has to scale well (metadata is a good example).