Overview#

Digital Assertions as in SAML#

An assertion is a package of information that supplies one or more statements made by a SAML authority. SAML defines three different kinds of assertion statement that can be created by a SAML authority.

SAML assertions are compounds of one or more of three kinds of "statement" about Digital Subject (human or program):

SAML can be extended to incorporate many kinds of assertions and statements

Assertions can, and probably should, be digitally signed

Common information#

All SAML assertions share some common information:
  • Assertion ID - Who is making the Claim
  • Issuer ID and issuance timestamp
  • Subject - The Digital Subject that the claims are about
    • Name plus the security domain
    • Optional subject confirmation, e.g. public key
  • "Conditions" under which assertion is valid
    • SAML clients must reject assertions containing unsupported conditions
    • Special kind of condition: assertion validity period
  • Additional "advice" - E.g., to explain how the assertion was made

SAML assertion Structure Image #

The outer structure of an assertion is generic, providing information that is common to all of the statements within it. Within an assertion, a series of inner elements describe the SAML Authentication Statement, SAML Attribute Statement, SAML Authorization Decision Statement, or user-defined statements containing the specifics.

The diagram below illustrates the high-level structure of a typical SAML authentication assertion.

Sample common information assertion#

<saml:Assertion
    MajorVersion="1" MinorVersion="0"
    AssertionID="192.168.1.12.3456"
    Issuer="services.willeke.biz"
    IssueInstant="2009-12-03T10:02:00Z">
    <saml:Conditions
        NotBefore="2009-12-03T10:00:00Z"
        NotOnOrAfter="2009-12-03T10:05:00Z">
        <saml:AudienceRestrictionCondition>
            <saml:Audience>…URI…</saml:Audience>
        </saml:AudienceRestrictionCondition>
    </saml:Conditions>
    <saml:Advice>
        .. a variety of elements can go here..
    </saml:Advice>
    ...statements go here...
    </saml:Assertion>
The saml: namespace corresponds to an XML Schema that just focuses on assertions.So far, we have decided that unique identifiers like AssertionID are essentially opaque to SAML; it’s up to you to ensure that they’re unique in the domain you care about.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-8) was last changed on 03-Aug-2016 12:35 by jim