SAML assertions have no dependencies on and can be used independently of the SAML Protocol. SAML 2.0 defines three types of assertion statements:
- Authentication:- The assertion subject was authenticated by a particular means at a particular time.
- Authorization Decision:- A request to allow the assertion subject to access the specified resource has been granted or denied.
- Attribute:- The assertion subject is associated with the supplied attributes.
Issuer (Required):- The SAML authority that is making the claim(s) in the assertion.
Signature (Optional):- An XML Signature that protects the integrity of and authenticates the issuer of the assertion.
Subject (Optional):- The subject of the statement(s) in the assertion.
Conditions (Optional):- Conditions that MUST be evaluated when assessing the validity of and/or when using the assertion.
Advice (Optional):- Additional information related to the assertion that assists processing in certain situations but which MAY be ignored by applications that do not understand the advice or do not wish to make use of it.
Zero or more of the following statement elements:
- AuthnStatement:- An authentication statement.
- AuthzDecisionStatement:- An authorization decision statement.
- AttributeStatement:- An attribute statement.
An assertion with no statements MUST contain a Subject element. Such an assertion identifies a principal in a manner which can be referenced or confirmed using SAML methods, but asserts no further information associated with that principal.
Otherwise Subject, if present, identifies the subject of all of the statements in the assertion. If Subject is omitted, then the statements in the assertion apply to a subject or subjects identified in an application- or profile-specific manner. SAML itself defines no such statements, and an assertion without a subject has no defined meaning in this specification.
Version (Required):- Version of the assertion. "2.0" for SAML 2.0.
ID (Required):- The identifier for this assertion.
IssueInstant (Required):- The time instant in UTC.
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.