- An issuing authority asserts that subject "S" is associated with attributes "A", "B", ... with values "a", "b", "c"...
- Useful for distributed transactions and authorization services
- Typically this would be gotten from an LDAP repository
- "john.doe" in "example.com"
- is associated with attribute "Department"
- with value "Human Resources"
Attributes of a user (such as their role and spending limit) might be passed in a distributed transaction or as part of the "outsourcing" of an authorization decision.
These assertions will be cryptographically bound to the transaction in a way that is defined as part of the SAML specification. Attributes are the universal solvent of security information. Authentication and authorization information could be passed as attributes, but SAML chose to optimize for those common cases.
The particular SAML deployment could certainly choose to use attribute statements only.
<saml:Assertion ...> <saml:AuthenticationStatement AuthenticationMethod="password" AuthenticationInstant="2009-12-03T10:02:00Z"> <saml:Subject> <saml:NameIdentifier SecurityDomain=services.willeke.biz" Name="jimuser" /> <saml:ConfirmationMethod> http://...core-25/sender-vouches </saml:ConfirmationMethod> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion>
SAML only requires attribute names to be qualified as being in a "namespace", which need not be XML namespace, so that you can indicate the universe in which the attributes of interest were defined. This makes SAML neatly extensible in this area.