SAML 2.0 - SAML 2.0 Assertions

SAML 2.0 Assertions

An important type of SAML assertion is the so-called "bearer" assertion used to facilitate Web Browser SSO. Here is an example of a short-lived bearer assertion issued by an identity provider (https://idp.example.org/SAML2) to a service provider (https://sp.example.com/SAML2). The assertion includes both a and a , which presumably the service provider uses to make an access control decision. The prefix saml: represents the SAML V2.0 assertion namespace.

Note that the element contains the following child elements:

• a element, which contains the unique identifier of the identity provider
• a element, which contains an integrity-preserving digital signature (not shown) over the element
• a element, which identifies the authenticated principal (but in this case the identity of the principal is hidden behind an opaque transient identifier, for reasons of privacy)
• a element, which gives the conditions under which the assertion is to be considered valid
• a element, which describes the act of authentication at the identity provider
• a element, which asserts a multi-valued attribute associated with the authenticated principal

In words, the assertion encodes the following information:

The assertion ("b07b804c-7c29-ea16-7300-4f3d6f7928ac") was issued at time "2004-12-05T09:22:05Z" by identity provider (https://idp.example.org/SAML2) regarding subject (3f7b3dcf-1674-4ecd-92c8-1544f346baf8) exclusively for service provider (https://sp.example.com/SAML2).

The authentication statement, in particular, asserts the following:

The principal identified in the element was authenticated at time "2004-12-05T09:22:00" by means of a password sent over a protected channel.

Likewise the attribute statement asserts that

The principal identified in the element is a staff member at this institution.