Rails app as SAML Identity Provider?

We're looking at having our Rails-app clients be able to use a
SalesForce application and we're aiming for a single-signon solution.

SalesForce supports single-signon via SAML. I've spent a couple days
reviewing SAML documentation and it's about as clear as mud.

From what I gather, there are Service Providers (applications in non-
saml speak) and Identity Providers. When a service wants to
authenticate a user, it sends a request to the identity provider which
responds with a digitally-signed xml file.

What's tripping me up, I think, is the Identity Provider. Currently,
our clients sign in to our site through our login screen. We store the
login/security details in our database. There's no Active Directory/
OpenSSO/etc. acting as an external Identity Provider.

But can't my Rails app work as the identity provider? I'd just set up
a controller to handle the authentication requests from SalesForce. It
would approve/deny the request and then send back the appropriate XML
file.

That seems simple to me. Almost too simple, which is why I think I'm
overlooking something. All the SAML documentation I've come across
talks about the IP as an external system, which makes me think it's
doing something special that I'm unaware of.

Ian wrote in post #965690:

We're looking at having our Rails-app clients be able to use a
SalesForce application and we're aiming for a single-signon solution.

SalesForce supports single-signon via SAML. I've spent a couple days
reviewing SAML documentation and it's about as clear as mud.

From what I gather, there are Service Providers (applications in non-
saml speak) and Identity Providers. When a service wants to
authenticate a user, it sends a request to the identity provider which
responds with a digitally-signed xml file.

[...]

But can't my Rails app work as the identity provider? I'd just set up
a controller to handle the authentication requests from SalesForce. It
would approve/deny the request and then send back the appropriate XML
file.

I don't know anything about SAML, but based on what you've so far
explained, this seems entirely reasonable.

That seems simple to me. Almost too simple, which is why I think I'm
overlooking something. All the SAML documentation I've come across
talks about the IP as an external system, which makes me think it's
doing something special that I'm unaware of.

The IP *is* an external system -- external to the SalesForce
application.

Best,