My blog has moved and can now be found at

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Saturday, November 10, 2007
« XML Schema Patterns for Databinding: Int... | Main | Dilbert on IdM and Strong Authentication... »

Note to self for for use as a reference...

SAML assertions have no dependencies on and can be used independently of the SAML Protocol. SAML 2.0 defines three types of assertion statements:SAML 2 Assertion Syntax

  1. Authentication:- The assertion subject was authenticated by a particular means at a particular time.
  2. Authorization Decision:- A request to allow the assertion subject to access the specified resource has been granted or denied.
  3. Attribute:- The assertion subject is associated with the supplied attributes.

<Issuer> (Required):- The SAML authority that is making the claim(s) in the assertion.

<Signature> (Optional):- An XML Signature that protects the integrity of and authenticates the issuer of the assertion.

<Subject> (Optional):- The subject of the statement(s) in the assertion.

<Conditions> (Optional):- Conditions that MUST be evaluated when assessing the validity of and/or when using the assertion.

<Advice> (Optional):- Additional information related to the assertion that assists processing in certain situations but which MAY be ignored by applications that do not understand the advice or do not wish to make use of it.

Zero or more of the following statement elements:

  • <Statement>
  • <AuthnStatement>:- An authentication statement.
  • <AuthzDecisionStatement>:- An authorization decision statement.
  • <AttributeStatement>:- An attribute statement.

An assertion with no statements MUST contain a <Subject> element. Such an assertion identifies a principal in a manner which can be referenced or confirmed using SAML methods, but asserts no further information associated with that principal.

Otherwise <Subject>, if present, identifies the subject of all of the statements in the assertion. If <Subject> is omitted, then the statements in the assertion apply to a subject or subjects  identified in an application- or profile-specific manner. SAML itself defines no such statements, and an assertion without a subject has no defined meaning in this specification.

<Version> (Required):- Version of the assertion. "2.0" for SAML 2.0.

<ID> (Required):- The identifier for this assertion.

<IssueInstant> (Required):- The time instant in UTC.

SAML 2.0 Core Spec [PDF], OASIS Security Services (SAML) TC

Tags:: Security
11/10/2007 9:21 PM Eastern Standard Time  |  Comments [0]  |  Disclaimer  |  Permalink   
Comments are closed.