Overview#

  • An issuing authority asserts that subject "S" is associated with attributes "A", "B", ... with values "a", "b", "c"...
  • Useful for distributed transactions and authorization services
  • Typically this would be gotten from an LDAP repository
    • "john.doe" in "example.com"
    • is associated with attribute "Department"
    • with value "Human Resources"

Attributes of a user (such as their role and spending limit) might be passed in a distributed transaction or as part of the "outsourcing" of an authorization decision.

These assertions will be cryptographically bound to the transaction in a way that is defined as part of the SAML specification. Attributes are the universal solvent of security information. Authentication and authorization information could be passed as attributes, but SAML chose to optimize for those common cases.

The particular SAML deployment could certainly choose to use attribute statements only.

Eaxmple#

<saml:Assertion ...>  
	<saml:AuthenticationStatement    
		AuthenticationMethod="password"
		AuthenticationInstant="2009-12-03T10:02:00Z">
		<saml:Subject>
			<saml:NameIdentifier
				SecurityDomain=services.willeke.biz"
				Name="jimuser" />
			<saml:ConfirmationMethod>
				http://...core-25/sender-vouches
			</saml:ConfirmationMethod>
		</saml:Subject>
	</saml:AuthenticationStatement>
</saml:Assertion>

SAML only requires attribute names to be qualified as being in a "namespace", which need not be XML namespace, so that you can indicate the universe in which the attributes of interest were defined. This makes SAML neatly extensible in this area.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-6) was last changed on 03-Aug-2016 12:28 by jim